Prerequisites for Applications Manager

---

Discussed below are the prerequisites for managing the various monitors:

• Application Servers
  • GlassFish
  • JBoss
  • Oracle Application Server
  • Tomcat
  • WebLogic
  • WebSphere
  • Java Runtime Monitor
  • Resin Server
  • Jetty Server
  • Apache Geronimo
  • Microsoft .NET
• Database Servers
  • Cassandra DB
  • Dameng DB
  • IBM DB2
  • IBM Informix Server
  • Kingbase DB
  • MS SQL DB Servers
  • MongoDB Servers
  • MySQL DB Servers
  • Neo4j DB Servers
  • Oracle Database Servers
    • Oracle Pluggable Database (PDB)
  • Oracle RAC
  • PostgreSQL
  • Redis Servers
  • SAP ASE / Sybase SQL Server / Sybase ASE
  • SAP HANA
  • SAP MaxDB
  • SQL Anywhere
• Cloud Apps
  • Microsoft Azure
    • Azure Virtual Machines
    • Azure SQL Database
    • Azure Kubernetes Service (AKS)
  • Microsoft 365
  • AWS Monitoring
    • AWS API Gateway
    • AWS Billing
    • AWS Cloudfront
    • AWS Direct Connect
    • AWS DynamoDB
    • AWS Elastic Container Registry
    • AWS ECS
    • AWS EC2 Instances
    • AWS EFS
    • AWS EKS
    • AWS Elastic Beanstalk
    • AWS Elastic Load Balancer
    • AWS File Transfer Family
    • AWS FSx File Cache
    • AWS Lambda
    • AWS NAT Gateways
    • AWS RDS Instances
    • AWS Route 53 Health Checks
    • AWS SNS
    • AWS SQS
    • Amazon ActiveMQ
    • Amazon CloudHSM
    • Amazon DMS Replication Instance
    • Amazon DMS Replication Task
    • Amazon Key Management Service
    • Amazon RabbitMQ
    • Amazon Secrets Manager
    • Amazon Storage Gateway
    • Amazon Storage Gateway File Share
    • Amazon Storage Gateway Volume
    • Amazon Web Application Firewall
  • Google Cloud Platform
  • Oracle Cloud Infrastructure
    • Oracle Autonomous Database
  • OpenStack
• ERP
  • Oracle EBS
  • SAP Server / SAP CCMS
  • Microsoft Dynamics CRM / 365 (On-Premise)
  • Microsoft Dynamics AX
  • SAP Business One
  • SAP Java
• Servers
  • Windows
  • Linux
  • AIX
  • IBM i
  • Windows Cluster
• Services
  • JMX Applications
  • Ceph Monitor
  • Hadoop Monitor
  • Apache Zookeeper
  • Active Directory
  • Istio
  • Network Policy Server (Radius Server)
  • LDAP Server
  • Apache Spark
• Mail Servers
  • Exchange Server
• Java / Transactions
  • Java Runtime Monitor
• Middleware / Portal
  • IBM WebSphere MQ
  • IBM Websphere Message Broker
  • WebLogic Integration Server
  • MS Office SharePoint Server
  • Microsoft Message Queue (MSMQ)
  • Microsoft BizTalk Monitoring
  • Microsoft Skype for Business
  • Azure Service Bus
  • Apache ActiveMQ
  • Apache Kafka
  • RabbitMQ
• Virtualization
  • VMware Horizon View Connection Broker
  • Docker
  • VMware ESXi / vCenter
  • Citrix Hypervisor
  • KVM
  • Microsoft Hyper-V Server
  • Oracle VM Manager Servers
  • Red Hat Virtualization
• Web Server / Services
  • IIS Server
  • PHP
  • Apache
  • Nginx
  • Nginx Plus
  • HAProxy
  • IBM HTTP Server
  • Oracle HTTP Server
  • Real Browser Monitoring
  • Webpage Analyzer
  • Real User Monitor
  • Web Services
  • HTTP(s) URLs
  • Website Content Monitor
  • REST API Monitor
  • ManageEngine ADManager Plus
  • ManageEngine ServiceDesk Plus
  • ManageEngine OpManager
• APM Insight
  • Java Agent
  • .NET Agent
• Converged Infrastructure
  • Cisco UCS
• Custom Monitors
  • Database Query Monitor
  • Windows Performance Counter

Note: IPv6 support is available for all monitors.

---

Application Servers

Glassfish

While monitoring Glassfish application servers, make the following changes in the domain.xml file and then restart it:

• Change the "accept-all" property to "true" for the "jmx-connector" node : <jmx-connector accept-all="true"

The configuration line should look like this:
<jmx-connector accept-all="true" address="0.0.0.0" auth-realm-name="admin-realm" enabled="true" name="system" port="8686" protocol="rmi_jrmp" security-enabled="false"/>

JBoss

The prerequisites for managing the various versions of JBoss server are:

• JBoss Version 3.x and 4.x
• JBoss Version 5.x
• JBoss Version 6.x
• JBoss Version 7.x and above (EAP version 6 and above)
• JBoss Wildfly (WildFly 8 and above)

JBoss Version 3.x and 4.x

To monitor JBoss, the http-invoker.sar should be deployed in the JBoss Server. The application (http-invoker.sar) is by default deployed in the JBoss server.

If the http port of the JBoss server is changed then the port number in the attribute InvokerURLSuffix should also be modified in <JBOSS_HOME>/server/default/deploy/http-invoker.sar/META-INF/jboss-service.xml file.

JBoss Version 5x

To monitor JBoss 5.x version, jbossagent.sar should be deployed in JBoss server. To deploy, follow the steps below:

• Copy jbossagent.sar from location <Applications Manager home>/working/resources and paste under <JBOSS_HOME>/server/default/deploy
• If you are running JBoss in different domain like all, then deployment target folder would be <JBOSS_HOME>/server/all/deploy.

JBoss Version 6.x

Note: JBOSS 6 EAP should be added as JBoss 7

To monitor JBoss 6.x version, jbossagent.sar should be deployed in JBoss server. To deploy, follow the steps below:

• Copy jbossagent.sar from location <Applications Manager home>/working/resources and paste under <JBOSS_HOME>/server/default/deploy
• If you are running JBoss in different domain like all, then deployment target folder would be <JBOSS_HOME>/server/all/deploy.
• Provide the rmiRegistryPort which is available in <JBOSS_HOME>/server/<domainname>/conf/bindingservice.beans/META-INF/bindings-jboss-beans.xml file. The default port is 1090.

Example:
<bean class="org.jboss.services.binding.ServiceBindingMetadata">
<property name="serviceName">
jboss.remoting:service=JMXConnectorServer,protocol=rmi
</property>
<property name="port">1090</property>
<property name="description">RMI/JRMP socket for connecting to the JMX MBeanServer</property>
</bean>

JBoss Version 7.x and above (EAP version 6 and above)

Standalone Mode:

• In the JBoss config file (i.e. <JBOSS_HOME>\standalone\configuration\standalone-full.xml), change jboss.bind.address.management:127.0.0.1 to jboss.bind.address.management:0.0.0.0

EAP Setup:

• In the JBoss config file (i.e. <JBOSS_HOME>\domain\configuration\host.xml), change jboss.bind.address.management:127.0.0.1 to jboss.bind.address.management:0.0.0.0

JBoss Wildfly

1. Change the Management port binding to use the network accessible interface:
   • In the JBoss config file (i.e. <JBOSS_HOME>\standalone\configuration\standalone-full.xml), change the entry jboss.bind.address.management:127.0.0.1 to jboss.bind.address.management:0.0.0.0
   • Restart the service
2. Add a JBoss administration user for monitoring by navigating to <JBOSS_HOME>\bindirectory and executing the following command in command prompt:
   • Windows: add-user.bat <USERID> <PASSWORD> ManagementRealm -silent
   • Linux: ./add-user.sh <USERID> <PASSWORD> ManagementRealm -silent

Oracle Application Server

Applications Manager uses the Dynamic Monitoring Service (DMS) provided by Oracle Application Server to monitor the same. For this reason, the DMS Servlet has to be made accessible to the system where the Applications Manager is running.

To enable the access, please follow the instructions provided below
[The instructions are referred from the Oracle website: http://docs.oracle.com/cd/B14099_19/core.1012/b14001/monitor.htm]

By default, the dms0/AggreSpy URL is redirected and the redirect location is protected, allowing only the localhost (127.0.0.1) to access the AggreSpy Servlet.

To view metrics from a system other than the localhost you need to change the DMS configuration for the system that is running the Oracle Application Server that you want to monitor by modifying the file $ORACLE_HOME/Apache/Apache/conf/dms.conf on UNIX, or%ORACLE_HOME%\Apache\Apache\conf\dms.conf on Windows systems.

The following example shows a sample default configuration from dms.conf. This configuration limits AggreSpy to access metrics on the localhost (127.0.0.1). The port shown, 7200, may differ on your installation.

Example: Sample dms.conf File for localhost Access for DMS Metrics
# proxy to DMS AggreSpy
Redirect /dms0/AggreSpy http://localhost:7200/dmsoc4j/AggreSpy
#DMS VirtualHost for access and logging control
Listen 127.0.0.1:7200
OpmnHostPort http://localhost:7200
<VirtualHost 127.0.0.1:7200>
ServerName 127.0.0.1

By changing the dms.conf configuration to specify the host that provides, or serves DMS metrics, you can allow users on systems other than the localhost to access the DMS metrics from the location http://host:port/dms0/AggreSpy.

Caution: Modifying dms.conf has security implications. Only modify this file if you understand the security implications for your site. By exposing metrics to systems other than the localhost, you allow other sites to potentially view critical Oracle Application Server internal status and runtime information.

To view metrics from a system other than the localhost (127.0.0.1), do the following:

• Modify dms.conf by changing the entries with the value for localhost "127.0.0.1" shown in Example to the name of the server providing the metrics (obtain the server name from the ServerName directive in the httpd.conf file, for example tv.us.oracle.com).
• Find below a sample updated dms.conf that allows access from a system other than the localhost (127.0.0.1)

  Example: Sample dms.conf File for Remote Host Access for DMS Metrics:
  # proxy to DMS AggreSpy
  Redirect /dms0/AggreSpy http://tv.us.oracle.com:7200/dmsoc4j/AggreSpy
  #DMS VirtualHost for access and logging control
  Listen tv.us.oracle.com:7200
  OpmnHostPort http://tv.us.oracle.com:7200
  <VirtualHost tv.us.oracle.com:7200>
  ServerName tv.us.oracle.com

• Restart, or stop and start the Oracle HTTP Server using Application Server Control Console or using the Oracle Process Manager and Notification Server opmnctl command.

  For example,
  %opmnctl restartproc process-type=HTTP_Server
  or
  %opmnctl stopproc process-type=HTTP_Server
  %opmnctl startproc process-type=HTTP_Server

After performing the above steps, please ensure that you are able to access the URL http://<host>:7200/dmsoc4j/AggreSpy from the Applications Manager system.

To check if a user has select privilege:

We suggest you to execute the below query directly in your Oracle machine and check if a connected user has select privilege or not :

select TABLE_NAME,PRIVILEGE from user_tab_privs_recd where table_name in ('ALL_SCHEDULER_JOB_RUN_DETAILS','V_$RMAN_BACKUP_JOB_DETAILS','ALL_SCHEDULER_JOBS','ALL_SCHEDULER_RUNNING_JOBS');

If there is no row selected or privilege column does not have select value for the above table_name columns, then the user doesn't have privilege to access the table.

To grant Privilege:

Use the following query:

grant select on <tablename> to <username>;

Example: grant select on V_$RMAN_BACKUP_JOB_DETAILS to monitoruser;

Note: As above, you have to give grant permission on all the tables mentioned in the above query.

Tomcat Server

Browse through the following links to monitor Tomcat server for respective versions:

• Tomcat versions 7.x and above
• Tomcat versions 5.x and 6.x
• Tomcat versions 3.x and 4.x

Tomcat versions 7.x and above

To monitor Tomcat 7.x and above, an application named Manager must be running in it for Applications Manager to monitor the Tomcat server. By default, this application will be running in the server. If you have customized the Manager application (Eg. \qamanager), then you can use the option "Tomcat Manager Application URI" in the client, for Applications Manager to monitor the Tomcat server.

• The user role manager-jmx is required to access the server.
• To add a role as manager-jmx to any of the users such as tomcat, role1, or both, you need make changes in tomcat-users.xml file located under the <TOMCAT-HOME>/conf directory.
• The manager-gui role grants a user the ability to access and use the web-based graphical user interface (GUI) for the Tomcat Manager application. It is essential for managing web applications and monitoring the Tomcat server through the Manager's GUI.

To allow requests from specific client addresses in the Tomcat server, add the IP address of the host machine where Applications Manager is installed to the allow attribute in the context.xml file. This file is located in the CATALINA_HOME/webapps/manager/META-INF/ directory. By default, the Tomcat server allows requests from all client addresses.

• Default:

  <Valve className="org.apache.catalina.valves.RemoteAddrValve" allow=".*" />

• To allow a specific client address:

  <Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="192\.168\.1\.100" />

• To allow multiple client addresses:

  <Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="192\.168\.1\.100|192\.168\.1\.101|10\.0\.0\.1" />

• To allow multiple client addresses and deny specific client addresses:

  <Valve className="org.apache.catalina.valves.RemoteAddrValve" deny="192\.168\.1\.100" />

Example:

Default configurations in tomcat-users.xml in Tomcat Server:

<tomcat-users>
<role rolename="tomcat" />
<role rolename="role1" />
<user username="tomcat" password="tomcat" roles="tomcat" />
<user username="role1" password="tomcat" roles="role1" />
<user username="both" password="tomcat" roles="tomcat,role1" />
</tomcat-users>

After adding the roles for the "tomcat" user, the modified entries will be as follows:

<tomcat-users>
<role rolename="tomcat" />
<role rolename="role1" />
<role rolename="manager" />
<user username="tomcat" password="tomcat" roles="tomcat,manager-gui,manager-jmx" />
<user username="role1" password="tomcat" roles="role1" />
<user username="both" password="tomcat" roles="tomcat,role1" />
</tomcat-users>

On making the configuration changes, restart the Tomcat server.

Now, while adding a new Tomcat monitor, specify both the username and password as tomcat when discovering the Tomcat server.

<Valve className="org.apache.catalina.valves.RemoteAddrValve"
allow=".*" />

Note:

1) After adding the Manager role in tomcat-users.xml, you should be able to access the endpoints <Host>:<PORT>/manager/status and <Host>:<PORT>/manager/jmxproxy from the Applications Manager installed machine (Provide manager user credentials).
2) If the application is not accessible, add the following entry in server.xml, under 'Engine' context:
<Realm className="org.apache.catalina.realm.MemoryRealm" />
3) Restart the server and try to access manager application.
4) By default, GZip compression is disabled for Tomcat. To learn how to enable GZip in Tomcat, refer here.

Tomcat versions 5.x and 6.x

To monitor Tomcat 5.x and 6.x, an application named Manager must be running in it for Applications Manager to monitor the Tomcat server. By default, this application will be running in the server. If you have customized the Manager application (Eg. \qamanager), then you can use the option "Tomcat Manager Application URI" in the client, for Applications Manager to monitor the Tomcat server.

To monitor Tomcat server,

• The user role manager is required to access the server.
• To add a role as manager to any of the users such as tomcat, role1, or both, you need make changes in tomcat-users.xml file located under <TOMCAT-HOME>/conf directory.

Example:

Default configurations in tomcat-users.xml in Tomcat Server:

<tomcat-users>
<role rolename="tomcat" />
<role rolename="role1" />
<user username="tomcat" password="tomcat" roles="tomcat" />
<user username="role1" password="tomcat" roles="role1" />
<user username="both" password="tomcat" roles="tomcat,role1" />
</tomcat-users>

After adding the roles for the "tomcat" user, the modified entries will be as follows:

<tomcat-users>
<role rolename="tomcat" />
<role rolename="role1" />
<role rolename="manager" />
<user username="tomcat" password="tomcat" roles="tomcat,manager" />
<user username="role1" password="tomcat" roles="role1" />
<user username="both" password="tomcat" roles="tomcat,role1" />
</tomcat-users>

On making the configuration changes, restart the Tomcat server.

Now, while adding a new Tomcat monitor, specify both the username and password as tomcat when discovering the Tomcat server.

Note:

1) After adding the Manager role in tomcat-users.xml, you should be able to access the endpoints <Host>:<PORT>/manager/status and <Host>:<PORT>/manager/jmxproxy from the Applications Manager installed machine (Provide manager user credentials).
2) If the application is not accessible, add the following entry in server.xml, under 'Engine' context:
<Realm className="org.apache.catalina.realm.MemoryRealm" />
3) Restart the server and try to access manager application.
4) By default, GZip compression is disabled for Tomcat. To learn how to enable GZip in Tomcat, refer here.

Tomcat versions 3.x and 4.x

Applications Manager agent has to be deployed in Tomcat Servers 3.x and 4.x to monitor them. Moreover, Tomcat 3.x and 4.x needs no user name and password.

To deploy the agent for Tomcat Server 3.x

1. Download the Tomcat3Agent.Zip from <Applications Manager Home>/working/classes directory.
2. Unzip it in the <Tomcat Home> directory of the host in which the Tomcat server is running.
3. Restart the Tomcat Server.

To deploy the agent for Tomcat Server 4.x 

1. Download the Tomcat4Agent.Zip from the <Applications Manager Home>/working/classes directory
2. Unzip it in the <Tomcat Home> directory of the host in which the Tomcat server is running.
3. Add the following tag in server.xml file located in the <Tomcat Home>/conf directory (below the Engine tag).
   <Valve className="com.adventnet.appmanager.tomcatagent.ver4.valve.AdventNetHostValve"/>
   [Click the link to view an example server.xml]
4. Restart the Tomcat Server.

To deploy the agent for Tomcat Server 4.x and Apache server combined

1. Download the Tomcat4Agent.Zip from the <Applications Manager Home>/working/classes directory
2. Unzip it in the <Tomcat Home> directory of the host in which the Tomcat server is running.
3. Add the following tag in server.xml file located in the <Tomcat Home>/conf directory (below the Engine tag).
   
   <Valve className="com.adventnet.appmanager.tomcatagent.ver4.valve.AdventNetHostValve"/>
   
   [Click the link to view an example server.xml]
4. Restart the Tomcat Server.
5. Apache:In Apache mod_jk.conf file of Apache Server , add the following entry 
   • JkMount /adventnet/* ajp13, Where ajp13 is the worker name .It has be the name given in worker.properties file.
6. Restart Apache server

WebLogic Server

• For monitoring your WebLogic server, the user must have 'Administrator' privileges. For more information, refer here.
• Webserver port of Applications Manager-installed machine should be accessible from Weblogic server and the HTTP Port of Weblogic server should be accessible from Applications Manager-installed machine.
• If listen address is configured in WebLogic server, the same should be provided while adding the monitor.
• The hostname of WebLogic machine should be resolvable from Applications Manager-installed machine. Add the host details in hosts file of Applications Manager-installed machine.

Click on the following topics to know more about the prerequisites for various versions of WebLogic server.

• To monitor WebLogic 6.1
• To monitor WebLogic 7.x
• To monitor WebLogic 8.x
• To monitor WebLogic 9.x
• To monitor WebLogic 10.x, 11g
• To monitor WebLogic 12.x and above
• For SSL support over WebLogic

To monitor WebLogic 6.1:

Follow the steps given below:

• Provide only Admin user name.
• In the remote WebLogic server, navigate to <Weblogic Home>/weblogic61/server/lib directory. From there, copy Weblogic.jar to <Applications Manager Home>\working\classes\weblogic\version6 directory in the machine where Applications Manager is running.

To monitor WebLogic 7.x:

You should set the weblogic.disableMBeanAuthorization and weblogic.management.anonymousAdminLookupEnabled variables to true for enabling data collection. Follow the steps given below:

• Edit startWLS.cmdsh present in the <WLS_HOME>/server/bin directory and add the following arguments
-Dweblogic.disableMBeanAuthorization=true
-Dweblogic.management.anonymousAdminLookupEnabled=true Click here for Sample startWLS.cmd/sh
• Restart the WebLogic Server for the changes to take effect
• In the remote WebLogic server, navigate to <Weblogic Home>/weblogic70/server/lib directory. From there, copy Weblogic.jar to <Applications Manager Home>\working\classes\weblogic\version7 directory in the machine where Applications Manager is running.

To monitor WebLogic 8.x:

You should set the weblogic.disableMBeanAuthorization and weblogic.management.anonymousAdminLookupEnabled variables to true for enabling data collection. Follow the steps given below:

• Edit startWLS.cmdsh present in the <WLS_HOME>/server/bin directory and add the following arguments
-Dweblogic.disableMBeanAuthorization=true
-Dweblogic.management.anonymousAdminLookupEnabled=true Click here for Sample startWLS.cmd/sh
• Restart the WebLogic Server for the changes to take effect
• In the remote WebLogic server, navigate to <Weblogic Home>/weblogic81/server/lib directory. From there, copy Weblogic.jar to <Applications Manager Home>\working\classes\weblogic\version8 directory in the machine where Applications Manager is running.

To monitor WebLogic 9.x:

In the remote WebLogic server, navigate to <Weblogic Home>/weblogic92/server/lib directory. From there, copy Weblogic.jar to <Applications Manager Home>\working\classes\weblogic\version9 directory in the machine where Applications Manager is running.

To monitor WebLogic 10.x , 11g:

In the remote WebLogic server, navigate to <Weblogic Home>/wlserver/server/lib directory. From there, copy Weblogic.jar, wlclient.jar, wljmsclient.jar, wlthint3client.jar to <Applications Manager Home>\working\classes\weblogic\version10 directory in the machine where Applications Manager is running.

To monitor WebLogic 12.x and above:

In the remote WebLogic server, navigate to <Weblogic Home>/wlserver/server/lib directory. From there, copy wlclient.jar and wljmxclient.jar to <AppManager Home>\working\classes\weblogic\version12 directory in the machine where Applications Manager is running. 

---

For SSL support over WebLogic:

WebLogic certificate has to be imported to <Applications Manager Home>/working/jre/lib/security/cacerts file. This certificate can be imported through <Applications Manager Home>/bin/WeblogicCertificate.bat/sh files.

Syntax:

WeblogicCertificate.bat [import] [Full path of weblogic server certificate] [alias name]

Example:

C:\Program Files\ManageEngine\AppManager\bin> WeblogicCertificate.bat import "C:\Oracle\Middleware\Oracle_Home\user_projects\domains\MyDomain\root.cer" mykey

Note:
* If customer is monitoring all three versions of weblogic (10.x, 11g, 12C), then get the jars from latest version of WebLogic (Version 12c).
* SSL option is enabled in the UI only for version 9 and above.

The ports that need to be opened when the Weblogic Monitor is behind the firewall: Two-way communication between WebLogic listening port (default : 7001) and Applications Manager web server port (default : 9090).

Sample commands for WebLogic 7.x, 8.x:

"%JAVA_HOME%\bin\java" %JAVA_VM% %MEM_ARGS% %JAVA_OPTIONS% -classpath "%CLASSPATH%" -Dweblogic.Name=%SERVER_NAME% -Dbea.home="C:\WebLogic\WL7.0" -Dweblogic.disableMBeanAuthorization=true -Dweblogic.management.anonymousAdminLookupEnabled=true -Dweblogic.management.username=%WLS_USER% -Dweblogic.management.password=%WLS_PW% -Dweblogic.management.server=%ADMIN_URL% -Dweblogic.ProductionModeEnabled=%STARTMODE% -Djava.security.policy="%WL_HOME%\server\lib\weblogic.policy" weblogic.Server
goto finish

:runAdmin
@echo on
"%JAVA_HOME%\bin\java" %JAVA_VM% %MEM_ARGS% %JAVA_OPTIONS% -classpath "%CLASSPATH%" -Dweblogic.Name=%SERVER_NAME% -Dbea.home="C:\WebLogic\WL7.0" -Dweblogic.disableMBeanAuthorization=true -Dweblogic.management.anonymousAdminLookupEnabled=true -Dweblogic.management.username=%WLS_USER% -Dweblogic.management.password=%WLS_PW% -Dweblogic.ProductionModeEnabled=%STARTMODE% -Djava.security.policy="%WL_HOME%\server\lib\weblogic.policy" weblogic.Server

WebSphere Application Server

• Prerequisites for WebSphere Versions 8.x and below
• Prerequisites for WebSphere Version 9.x

Prerequisites for WebSphere Versions 8.x and below

For base deployment:

You have to modify the Performance Monitor Interface (PMI) Specification Level from "None" to "Standard". Then deploy the perfServletApp.ear file, which uses the PMI infrastructure to retrieve the performance information from WebSphere Application Server, in the WebSphere. Restart WebSphere Application Server.

For Network deployment:

You have to modify the PMI Specification Level from "None"to "Standard" in all the WebSphere Servers in Network Deployment. Then deploy theperfServletApp.ear file, which uses the PMI infrastructure to retrieve the performance information from WebSphere Application Server, in any one of the WebSphere Servers in the Network Deployment. Restart WebSphere Application Server.

Note: Steps to check whether WebSphere monitor has been correctly set

To modify PMI specification level:

• Connect to the Admin console - http://<Host>:<Port>/admin/
• On the left-side tree, expand the Servers node.
• Click on Application Servers link. This will display the list of servers running in the node.
• Click on the server for which data collection has to be enabled.
• In the Additional Properties table, click on Performance Monitoring Service.
• Change the Initial specification level to "Standard" and then apply the changes. Also enable (select) Startup.

To deploy perfServletApp.ear:

• Open the Admin console
• Go to Applications then Application Types, then WebSphere Enterprise Applications.
• Click Install and select local system.
• Browse the perf servlet application then click ok.
• The Default Path is <WAS_INSTALLED_PATH>/<APP_SERVER_NAME>/installableApps/PerfServletApp.ear
• Accept all default options and select Next until finish then click Save.
• After successfully installed this application, restart the node server once in order to work the perf servlet work correctly.

Make sure that a WebSphere Admin User is added to the monitor group of the perfservletApp, if global security is enabled in Websphere. To do so, go to WebSphere Admin console → Applications → Installed Applications → Choose perfservletapp → Security role to user group mapping → Choose Monitor Role → Associate the admin user → Save directly to the master configuration.

To check the perf servlet output, open the following url from your browser:

http://localhost:<PORT>/wasPerfTool/servlet/perfservlet?connector=SOAP&port=8880 <PORT> - 9080 (Default)

Steps to Check whether Websphere monitor has been correctly set

For Base Deployment:

To ensure whether the PMI & perfServletApp are configured properly in WebSphere, invoke the below URL & check whether the data is returned in XML format.

http://<Host>:<Port>/wasPerfTool/servlet/perfservlet?connector=SOAP&port=<SOAP-PORT>

where

• Host - Host in which WebSphere Application Server is running
• Port - HTTP Transport port of the WebSphere Application server [How to locate HTTP Port]
• SOAP Port - SOAP Port of WebSphere [How to locate SOAP Port]

For Network Deployment:

To ensure whether the PMI & perfServletApp are configured properly in WebSphere, invoke the below URL & check whether the data is returned in XML format.

http://<Host>:<Port>/wasPerfTool/servlet/perfservlet?connector=SOAP&port=<NetworkDeployerSOAP-PORT>&HOST=<NetworkDeployerHost>

where

• Host - The host of the websphere application server in which the perf servlet application is installed
• Port - HTTP Transport port of the Websphere server in which the perf servlet application is installed [How to locate HTTP Port]
• NetworkDeployer SOAP PORT - The SOAP port of the Deployment manager (DMGR) [How to locate SOAP Port]
• Network Deployer Host - The host in which the Deployment manager is running.

Note: Also check whether WebSphere admin user is added to the monitor group of the perfservletApp.

How to locate SOAP Port?

1. Login to Admin console

2. Expand the server link on left side tree. Click on Application Servers

3. In Base mode, various WebSpheres will be listed down. Click on the WebSphere's name- > Under Additional Properties, click on End Points link -> click on SOAP connector address. You can get the SOAP port from there.

4. In Network Deployment mode, Click DMGR - > Under Additional Properties, click on End Points link -> click on SOAP connector address - You can get the SOAP port from there.

How to find the HTTP Transport port?

1. Login to Admin console

2. Expand the Server link on left side tree, Click on Application Servers

3. Various WebSpheres will be listed down. Click on the WebSphere's name- > Under Additional Properties, click on Web Container link -> click on HTTP Transports link. You can get the HTTP port from there.

Prerequisites for WebSphere Versions 9.x:

For Base mode:

1. Enable Performance Monitoring Infrastructure (PMI) in the application servers you want to monitor.
2. Go to Websphere Console, then Servers and All servers.
3. Click on the server name, then "Performance Monitoring Infrastructure (PMI)" under "Performance" tab.
4. Check the box "Enable Performance Monitoring Infrastructure".
5. Click Apply, Save and Restart the server.
6. If global security is enabled, provide username and password of user with adminitrative role.

For Network deployment mode:

1. Enable Performance Monitoring Infrastructure (PMI) in the application servers and node agents you want to monitor.
2. To enable PMI in an application server inside a Network deployment:
   • Go to Websphere Console, then Servers and All servers.
   • Click on the server name, then "Performance Monitoring Infrastructure (PMI)" under "Performance" tab.
   • Check the box "Enable Performance Monitoring Infrastructure".
3. To enable PMI in a node agent
   • Go to the Websphere Console, System Administration then Node agents.
   • Click on the node agent, then "Performance Monitoring Infrastructure (PMI)".
   • Check the box "Enable Performance Monitoring Infrastructure".
4. Click Apply, Save and Restart the server.
5. If global security is enabled, provide username and password of user with adminitrative role.

To enable Global security:

1. Go to the Websphere Console, go to Security then Global Security.
2. Under "Administrative security", check "Enable administrative security".
3. Click Apply, Save and Restart the server.
4. SSL certificates has to be added to APM incase SSL is enabled or Global security is enabled.

Steps: https://pitstop.manageengine.com/portal/kb/articles/how-to-import-certificates-for-monitoring-websphere-application-server-with-ssl-authentication

Resin Server

JMX MBeans are used to monitor Resin Application server's activity. To enable JMX, open Resin.XML and add the below JVM arguments or start Resin.exe with the below JVM arguments

-Dcom.sun.management.jmxremote.port=1099 -Dcom.sun.management.jmxremote.ssl=false
-Dcom.sun.management.jmxremote.authenticate=false

Replace 1099 with the actual port number of the JMX agent

Jetty Server

JMX MBeans are used to monitor Jetty server's performance. To enable JMX,

1. Add the below JVM arguments on Jetty start up:
   -Dcom.sun.management.jmxremote.port=9999
   -Dcom.sun.management.jmxremote.ssl=false
   -Dcom.sun.management.jmxremote.authenticate=false
   -Dcom.sun.management.jmxremote
   • Replace 9999 with the actual port number of the JMX agent
2. Add the following line in start.ini file --module=jmx

Apache Geronimo

To monitor Apache Geronimo Server, add the following java runtime options to the startup file of your application:

-Dcom.sun.management.jmxremote
-Dcom.sun.management.jmxremote.port=1999
-Dcom.sun.management.jmxremote.ssl=false
-Dcom.sun.management.jmxremote.authenticate=false

Replace 1999 with the any free port available.
You can find the startup file here : <Geronimo-Installation-Directory>/bin

Microsoft .NET

To monitor Microsoft .NET Framework, the user must have Administrator privileges. To monitor the Microsoft .NET framework, follow the below given steps:

1. Install the latest .NET Framework on your Applications Manager machine.
2. Install/enable .NET Framework 3.5 on Applications Manager installed machine: (This needs to be done even if you have installed the latest version. To know more click here.)
   • To know how to enable .NET 3.5 in Windows Server 2008, click here.
   • To know how you can enable .NET 3.5  in other Windows Servers, click here.

   Note: The .NET Framework 3.5 prerequisite applies only to Applications Manager versions up to 173100.

3. Firewall access for monitoring:Following are the list of ports required for monitoring:
   • Windows Management Instrumentation (WMI) (Default : TCP 445)
   • Remote Procedure Call (RPC) (Default :TCP 135)
   • Target server uses random port above 1024 by default to respond back for remote communication (DCOM) (Default : TCP 1025 to 1030)

Note: If you want to monitor as a non-admin user, follow the steps mentioned in this link.

Database Servers

Cassandra DB

For monitoring Cassandra database server, the given prerequisites should be followed:

• JMX remote access enabled: We are using JMX to monitor Cassandra. So it must have JMX remote access enabled.
• JMX Port: We need JMX port number (and not Cassandra DB port number) for monitoring. The JMX port number will be available in cassandra-env.sh file.
• Firewall restrictions: Make sure any firewalls between Appmanager machine and the Cassandra node allow traffic on the JMX port.
• Authentication mode : If Cassandra is running in authenticated mode, enable the Is Authentication Required option. Ensure that the provided user has read-only permissions and uses the password specified in the jmxremote.password file.

Dameng DB

To perform effective monitoring of DamengDB in Applications Manager, the monitor user must be granted the Data Viewer privilege. Refer here to know more about how to grant this privilege to the newly created user.

IBM DB2

A DB2 user with SYSMON instance level authority is required for monitoring DB2 server.

Long Running Queries (Available from version 9.7 & above):

To monitor 'Long Running Queries', the user must have the following authorization:

• SELECT privilege on the MON_CURRENT_SQL administrative view

Session details (Available from version 9.7 & above):

To monitor 'Session details', the user must have any one of the following authorizations:

• Execute privilege on the routine 'SYSPROC.MON_GET_CONNECTION'

Granting a privilege to user:

Login to DB2 command line processor and execute below statement:

GRANT <authority> ON DATABASE TO USER <user-name>

where, <authority> can be any one of the following: CONNECT, LOAD

To learn how to grant a privilege to a user, refer here.

IBM Informix Server

JDBC Driver:

To monitor IBM Informix DB, make sure that the ifxjdbc.jar file is present in the location:<ProductHome>\working\classes directory. The jar file can be copied from the IBM Informix installation location, <IBM Informix Home>\jdbc\lib\jar. Restart Applications Manager after copying the file.

User Privileges:

To add an Informix DB monitor, a user requires Connect database-level privileges and he should be able to access sysmaster database.

1. Copy the ngdbc.jar file into the location <Applications Manager Home>/working/classes. ngdbc.jar can be copied from the installed SAP HANA Client folder. Click here to download SAP HANA Client.
2. If HANA is running On-demand, in addition to the above, SAP Cloud Platform SDK is needed. However, this is not needed for HANA On-premise. Download SAP Cloud Platform SDK. The downloaded zip should be extracted under <Applications Manager Home>/working/hanacloud folder. After extracting, verify whether <Applications Manager Home>/working/hanacloud/tools folder is available.
3. Restart Applications Manager after performing the above steps.
4. Provide the below privileges for SAP HANA DB User.
   1. System privilege CATALOG READ.
   2. Object privilege SELECT on the schema _SYS_STATISTICS.
   To grant the above privileges, execute the below statements in the SAP HANA SQL console. (Replace USER_NAME with the actual HANA DB Username)
   1. GRANT MONITORING to < USER_NAME >
   2. CALL GRANT_ACTIVATED_ROLE ('sap.hana.admin.roles:Monitoring','< USER_NAME >')

SAP MaxDB

The following are the prerequisites to be implemented to monitor SAP MaxDB in Applications Manager:

• X-Server should be running.
• sapdbc.jar file should be copied to <Applications Manager Home>\working\classes folder. By default, this jar will be available in SAP MaxDB installation folder under <MaxDB_InstallationPath>\runtime\jar\ directory.

SQL Anywhere

Applications Manager supports the monitoring of SQL Anywhere from version 17. We use system procedures for monitoring the SQL Anywhere server.

To monitor SQL Anywhere server, the DB user must have the following privileges:

• Privilege to manage any DBspace.
• Any one of the following roles: Monitor or Server Operator or Drop connection

To know more about system privileges, click here.

CLOUD APPS

Microsoft Azure

List of ports to be opened for communicating with Microsoft Azure

Microsoft Azure monitor can be added using 3 methods,

• AD Application & Service Principal (Recommended)
• OAuth mode
• Azure Organizational Account (PowerShell)

AD Application & Service Principal (Recommended)

1. Create Microsoft Entra (Previously Azure Active Directory) Application:

• Log in to Azure Portal (https://portal.azure.com or https://portal.azure.us/) using the credentials of Microsoft account (@outlook.com or @live.com) using which the subscription was created.
• Go to App registrations → New registration and enter the relevant details and click Register to create a new App registration.

2. Getting Tenant ID, Client ID and Client Secret (Application Key):

• Go to the Microsoft Entra ID application created.
• From the application's overview page,
  • Copy the value given as Directory (tenant) ID. 
  • Copy the value given as Application (client) ID.
• To add a new client secret, go to the Manage tab and navigate to Certificates & Secrets → New client secret. Provide a description and select a duration (preferably 24 months), then click Add. Copy the Client Secret Value from the Value column, ensuring that the Secret ID is not copied. To know more about creating a Client Secret, refer here.
• To monitor the client secret expiry (optional), please follow the below steps:
  • Go to API Permissions → Add a permission → Microsoft Graph → Application permissions, choose the permission Application → Application.Read.All and click on Add permission.
  • Click on the Grant Admin Consent button.

3. Assign a role to the application:

• Select Subscriptions from the home page.
• Select the particular subscription to assign the application to.
• Copy the Subscription ID value. This is your Subscription ID.
• Select Access control (IAM) from left menu.
• Select Add > Add role assignment to open the Add role assignment page.
• Choose the role of Contributor (Under Role → Privileged administrator roles) or Reader (Under Role → Job function roles) based on your request and then click Next.
  • Contributor: Application with this role can oversee all metrics within Azure Monitors and execute VM actions through our product.
  • Reader: Application with this role have limitations when it comes to monitoring Diagnostic Agent metrics in Azure VM Monitor and performing VM actions through our product.
• Select User, group, or service principal in Assign access to option.
• In Members option, click on Select Members and search for the name of your application and select it.
• Select Review + Assign to finish assigning the role.

To know more about assigning a role to the application, refer here.

4. Provide the Tenant ID, Client ID and Application Key (Client Secret) in the Azure new monitor page of Applications Manager.

OAuth mode

Follow the steps 1, 2 and 3 mentioned in AD Application & Service Principal.

4. Grant App Registration Permissions

• Select your created application under Microsoft Entra ID → App Registration.
• In the application's Overview page, click on 'API Permissions' available on the left pane.
• Click on 'Add a Permission' option, select 'Azure Service Management' and choose 'Delegated Permissions'.
• Select the 'user_impersonation' permission and then click on 'Add Permissions'.
• Finally, click on 'Grant admin consent for APM' button.

Steps to create an OAuth Provider for Azure monitor:

1. In Applications Manager, go to Settings → Discovery and Data Collection → Credential Settings → OAuth Provider and select Add OAuth Provider. (Make sure you are logged in from a fully qualified domain name as in the help card)
2. Copy the Redirect URL from the Add OAuth Provider window.
3. In the Microsoft Azure console, go to Microsoft Entra ID from the left pane, select App Registrations and click on the required application.
4. In the application's Overview page, click on the link available under Redirect URIs and paste the Redirect URL copied from the Add OAuth Provider window. Click Save.
5. Now copy the App ID, Tenant ID and Client Secret obtained in the above steps and fill in the Add OAuth Provider window.
6. For Applications Manager Versions till 16310,user should follow the details as mentioned below:
   • Grant Type - Authorization Code
   • Authorization Endpoint URL:
     • Azure Global account: https://login.microsoftonline.com/<tenantID>/oauth2/authorize
     • Azure Gov account: https://login.microsoftonline.us/<tenantID>/oauth2/authorize
   • Token Endpoint URL:
     • Azure Global account: https://login.microsoftonline.com/<tenantID>/oauth2/token
     • Azure Gov account: https://login.microsoftonline.us/<tenantID>/oauth2/token
   • Token request method - Post request body
   • Request body:
     • Name - resource
     • Value:
       • Azure Global account: https://management.azure.com/
       • Azure Gov account: https://management.usgovcloudapi.net/
   • Authenticated request method - Basic Authentication
7. For Applications Manager Versions from 16320, user should follow the details as mentioned below:

   Note: Azure China accounts are supported from Applications Manager v173000.

   • Grant Type - Authorization Code
   • Authorization Endpoint URL:
     • Azure Global account: https://login.microsoftonline.com/<tenantID>/oauth2/v2.0/authorize
     • Azure Gov account: https://login.microsoftonline.us/<tenantID>/oauth2/v2.0/authorize
     • Azure China account: https://login.partner.microsoftonline.cn/<tenantID>/oauth2/v2.0/authorize
   • Scope:
     • Azure Global account: https://management.azure.com/.default offline_access
     • Azure Gov account: https://management.usgovcloudapi.net/.default offline_access
     • Azure China account: https://management.chinacloudapi.cn/.default offline_access
   • Token Endpoint URL:
     • Azure Global account: https://login.microsoftonline.com/<tenantID>/oauth2/v2.0/token
     • Azure Gov account: https://login.microsoftonline.us/<tenantID>/oauth2/v2.0/token
     • Azure China account: https://login.partner.microsoftonline.cn/<tenantID>/oauth2/v2.0/token
   • Token request method - Post request body
   • Authenticated request method - Basic Authentication

   Note: Remaining fields should remain as default.

8. Click Authorize button and authorize using the account to login to Azure.
9. Once created, verify whether both Access token and Refresh token are generated.
10. Use this OAuth Provider in the Microsoft Azure's New Monitor page.

Azure Organizational Account (PowerShell)

1. Installing the Powershell module on Applications Manager server:

For Applications Manager versions 15170 onwards, you must install the Az Powershell module.

To install the Az Powershell module, follow the below steps:

Open Powershell prompt with Administrator privileges. Run the following commands:

# Install the Az module from the PowerShell Gallery

Install-Module -Name Az -RequiredVersion 6.2.1

To check if the modules are installed successfully:
Open Powershell prompt with Administrator privileges. Run the following command,

Connect-AzAccount

If this opens a pop-up asking for Azure credentials, this means the required modules are installed successfully.

For Applications Manager versions till 15160, you must install the AzureRM Powershell module.

To install the AzureRM Powershell module, follow the below steps:

Open Powershell prompt with Administrator privileges. Run the following commands:

# Install the Azure Resource Manager modules from the PowerShell Gallery

Install-Module AzureRM

In case if you get the following error upon executing the above command, then install the downloader from http://aka.ms/webpi-azps

To check if the modules are installed successfully:
Open Powershell prompt with Administrator privileges. Run the following command,

Login-AzureRmAccount

If this opens a pop-up asking for Azure credentials, this means the required modules are installed successfully.

2. Get Subscription ID

• Log in to Azure Portal (https://portal.azure.com or https://portal.azure.us/) using the credentials of Microsoft account (@outlook.com or @live.com) using which the subscription was created.
• On the home page, navigate to All Services → Subscriptions, select the subscription.
• Copy the Subscription ID value. This is your Subscription ID.

3. Create an Organizational account using Microsoft Azure administrator permissions

• Log in to Azure Portal (https://portal.azure.com or https://portal.azure.us/) using the credentials of Microsoft account (@outlook.com or @live.com) using which the subscription was created. Select Microsoft Entra ID and choose the default directory.
• To create a new user, select Users → New user and enter the required information : Username, Name, and Password (Use Let me create the password option) and click on Create.
• Note down the Email ID and the password of the user that you just created.

4. Assign the Global administrator role to your organizational account

• Log in to Azure Portal (https://portal.azure.com or https://portal.azure.us/).
• Search for and select Microsoft Entra ID.
• Select Users.
• Select the user for which Global administrator role needs to be assigned.
• On the User Profile page, select Assigned Roles and then click on Add assignment.
• Search for and select the role Global administrator.
• After selecting the role, click on Add button.

The Global administrator role will be assigned to the required user.

After performing all the above steps,

• Sign out of the current account.
• Sign in using the newly created Email address and temporary password
• You will be prompted to change the password, when logging in for the first time
• Change and note down the new password

Provide this Subscription ID, Email ID, and Password to respective fields in the New monitor page while using the mode ‘Azure Organizational Account (PowerShell) of Applications Manager.

Azure Virtual Machines

Users can choose their preferred mode of data collection by performing the following prerequisites:

• Azure Agents:
  • Azure Monitor Agent
  • Diagnostic Agent
• Guest OS monitoring

Azure Monitor Agent

Follow the steps given below to configure the Azure Monitor Agent in Windows and Linux VMs:

• Steps to enable Azure Monitor Agent in the Azure Portal
• Steps to enable Azure Monitor Agent in Applications Manager

Steps to enable Azure Monitor Agent in the Azure Portal:

1. Log in to Azure Portal (https://portal.azure.com).
2. Navigate to Data Collection Rules using the search bar and create a new resource under it for agent installation.
3. Create a new Data Collection Rule
   • In the Basics tab, select the Platform Type as 'Windows', 'Linux', or 'All' based on the respective virtual machine OS type.
   • In the Resources tab, click on 'Add Resources' and select the respective virtual machines.
   • In the Collect and Delivertab, click on 'Add Data Source' and select the data source type as Performance Counters.

     

   • Under Performance Counters, all the listed categories of 'Basic' are chosen by default, and the metrics monitored in Applications Manager are included. If the user wants to enable the agent only for APM monitored metrics, switch to 'Custom' and select the metrics listed in the Windows Metrics Table or Linux Metrics Table below, based on the OS type.

     Windows Metrics Table

     Metric Name in Azure Portal	Metric Name in Applications Manager
     \Processor Information(_Total)\% Privileged Time	Privileged Time
     \Processor Information(_Total)\% User Time	User Time
     \Processor Information(_Total)\Processor Frequency	Processor Frequency
     \Memory\Committed Bytes	Committed Bytes
     \Memory\Available Bytes	Available Bytes
     \Memory\% Committed Bytes In Use	Committed Bytes In Use
     \Memory\Pool Paged Bytes	Pool Paged Bytes
     \Memory\Pool Nonpaged Bytes	Pool Nonpaged Bytes
     \Memory\Page Faults/sec	Page Faults/sec
     \Process(_Total)\Thread Count	Thread Count
     \System\Context Switches/sec	Context switches/sec
     \System\Processes	Process Count
     \Process(_Total)\Handle Count	Handle Count

     Linux Metrics Table

     Metric Name in Data Collection Rule	Metric Name in Azure Monitor Metrics	Metric Name in Applications Manager
     Processor(*)\% IO Wait Time	cpu/usage_iowait	IO Wait Time (%)
     Processor(*)\% Idle Time	cpu/usage_idle	Idle Time (%)
     Processor(*)\% Processor Time	cpu/usage_active	Processor Time(Linux) (%)
     Memory(*)\% Used Memory	mem/used_percent	Memory Utilization
     Memory(*)\Available MBytes Memory	mem/available	Available Memory
     Memory(*)\Used Memory MBytes	mem/used	Used Memory
     Memory(*)\% Available Memory	mem/available_percent	Available Memory %
     Memory(*)\% Used Swap Space	swap/used_percent	Used Swap Memory %

     Note: The Memory Utilization metric for Linux is supported from Applications Manager v171900.

   • In the Destination tab, click on Add Destination and specify the destination type as Azure Monitor Metrics (preview). Next, click on 'Add Data Source'.

     

   • Proceed to click on Review + create, review the configurations, and then click 'Create' to deploy the resource for agent installation.
4. Confirm the status of the installed agent is Provisioning succeeded.
   • Navigate to the respective virtual machine and ensure it is in the 'Running' state. Then, in the left panel under Settings, select Extensions + applications.
   • Ensure the status is 'Provisioning succeeded' for AzureMonitorWindowsAgent or AzureMonitorLinuxAgent, based on the OS type of the VM. If agent status is not in succeeded state, please check the troubleshooting steps.

     

5. Ensure that the required metrics are added under Azure Monitor Metrics.
   • In the respective virtual machine, select 'Metrics' under Monitoring in the left panel.
   • Click on Add metric and select the 'Metric Namespace' as Virtual Machine Guest for Windows (or) azure.vm.linux.guestmetrics for Linux.
   • Verify if all the Applications Manager supported metrics are mentioned under the 'Metric' list.

     

Steps to enable Azure Monitor Agent in Applications Manager:

1. Navigate to the respective virtual machine monitor in Applications Manager and click on the Edit Monitor page.
2. Ensure that the Agent Type is selected as Azure monitor agent.
3. By default, the Agent Type will be 'Azure Monitor Agent'. For existing monitors created before version 171400, the Agent Type will be 'Diagnostic Agent'.
   Note:

   • For Azure Government Cloud and Azure China VM monitors, the Azure Monitor agent type is not supported; therefore, the Diagnostic Agent will be selected by default.
   • Azure China accounts are supported from Applications Manager v173000.

Diagnostic Agent

Follow the steps given below to enable the Diagnostics Agent for Windows and Linux VMs:

• Steps to enable the Diagnostics Agent in the Azure Portal:
  • For Windows VMs
  • For Linux VMs
• Steps to enable Diagnostic Agent in Applications Manager from v171400

Note: Applications Manager can collect diagnostic metrics from Storage accounts in both public and private links, as long as the storage account is accessible from the machine where Applications Manager is installed. For additional information, please refer to this link.

Steps to Enable Diagnostics Agent for Windows VMs:

1. Log in to Azure Portal (https://portal.azure.com or https://portal.azure.us/) using the credentials of 'Administrator'
2. Navigate to your virtual machine.
3. Click on 'Diagnostics settings' on the vertical pane. Select 'Agent' tab and click on 'Remove' at the bottom, as shown in the below image.

   

4. In the same page, now choose a diagnostics storage account from the dropdown and then click 'Enable guest-level monitoring' to enable the VM diagnostic.

   

5. In Performance counters tab, all the Basic metrics are chosen by default, and the metrics monitored in Applications Manager are included in it. If the user wants to enable diagnostics only for the monitored metrics, select Custom and select the below-listed metrics and click Save.

   Metric Name in Azure Portal	Metric Name in Applications Manager
   \\Processor Information(_Total)\\% User Time	User Time
   \\Processor Information(_Total)\\% Privileged Time	Privileged Time
   \\Processor Information(_Total)\\Processor Frequency	Processor Frequency
   \\System\\Processes	Process Count
   \\System\\Context Switches/sec	Context Switches/sec
   \\Process(_Total)\\Thread Count	Thread Count
   \\Process(_Total)\\Handle Count	Handle Count
   \\Memory\\Committed Bytes	Committed Bytes
   \\Memory\\Available Bytes	Available Bytes
   \\Memory\\% Committed Bytes In Use	Committed Bytes In Use
   \\Memory\\Page Faults/sec	Page Faults/sec
   \\Memory\\Pool Paged Bytes	Pool Paged Bytes
   \\Memory\\Pool Nonpaged Bytes	Pool Nonpaged Bytes

6. Restart the VM

Steps to Enable Diagnostics Extension for Linux VMs:

1. Log in to Azure Portal (https://portal.azure.com or https://portal.azure.us/) using the credentials of 'Administrator'
2. Navigate to your virtual machine.
3. Click on 'Diagnostics settings' on the vertical pane under 'Monitoring'.
4. To uninstall the old diagnostic agent and reinstall again, go to 'Agent' and click 'Remove' to remove the current diagnostic agent. On the same page, now choose a storage account from the dropdown and then click 'Enable guest-level monitoring' to enable the VM diagnostic.

   

5. To reduce the amount of data stored in Storage Account tables, configure only the required diagnostics instead of all.

Once the diagnostic settings are updated successfully, in the same pane, click 'Metrics' and then click 'Custom' and remove the unwanted metrics. Refer to the below image to view the required metrics and their configuration. Also, set the aggregation intervals to 1 minute (Choose only 'PT1M' and remove other intervals like 'PT1H', 'PT5M', etc.) and finally click 'Save' to save the configuration.

Metric Name in Azure Portal	Metric Name in Applications Manager
/builtin/disk/averagereadtime	Average Read Time
/builtin/disk/averagewritetime	Average Write Time
/builtin/memory/availablememory	Available Memory (MB)
/builtin/memory/percentusedswap	Used Swap memory (%)
/builtin/memory/usedmemory	Used Memory (MB)
/builtin/memory/percentavailablememory	Available Memory (%)
/builtin/processor/percentidletime	Idle Time
/builtin/processor/percentiowaittime	IO Wait Time
/builtin/processor/percentprocessortime	Processor Time(Linux)

To check whether the diagnostic agent is working properly by storing the diagnostic metrics in the configured Storage Account:

• In the Azure portal, go to Virtual Machine and click 'Metrics' under 'Monitoring' in the left pane.
• Make sure the 'Scope' is pointing to the respective Virtual Machine and choose 'Guest (Classic)' in 'Metric Namespace' dropdown.
• Choose any one metric, let us check by choosing 'CPU idle time' in 'Metric' dropdown and check the data points for the current timestamp as below:

 

Steps to enable Diagnostic Agent in Applications Manager from v171400

1. Navigate to the respective virtual machine monitor in Applications Manager and click on the Edit Monitor page.
2. Ensure that the Agent Type is selected as Diagnostic agent.
3. By default, the Agent Type will be 'Azure Monitor Agent'. To choose Diagnostic agent, you should select the Agent type as 'Diagnostic agent'.
4. For existing monitors created before version 171400, the Agent Type will be 'Diagnostic Agent'.

GENERAL BEHAVIOUR

• Under the tab ‘Disk’, below ‘Disk spacing’ section, the disk size will be shown as 0, if disk size is not configured for the virtual machine in portal.
• To set disk size in portal, refer https://blogs.msdn.microsoft.com/madan/2016/09/28/resize-azure-resource-manager-arm-vm-os-data-disk-using-azure-portal/

Note: In case if you change the resource group of any Virtual machine in Azure portal, then provide the updated details (Virtual Machine ResourceID and Resource Group Name) in the Edit monitor page of that Virtual machine in Applications Manager for data collection to happen.

Enabling Guest OS monitoring

Following are the metrics monitored when Guest OS monitoring is enabled:

• Disk Utilization
• Disk IO Statistics
• Network Interface
• Service Monitoring

To enable Guest OS monitoring, go to Edit monitor page of Azure Virtual Machine monitor, click 'Enable Guest OS Monitoring' and provide the username and password of the VM. Enable the 'Use Public IP' option to use public IP to connect to Azure VM via internet and fetch Guest OS metrics. By default, this option will be unchecked and private IP will be used. However, this works only when Applications Manager installed machine and Azure Virtual Machine reside in the same network.

1. Perform the below steps in Azure Portal.

• Log in to Azure Portal.
• Open Azure Cloud Shell.
• Execute the following command
  

  Enable-AzVMPSRemoting -Name 'vm-hostname' -ResourceGroupName 'vm-resourcegroupname' -Protocol https -OsType Windows

  Where you need to replace 'vm-hostname' and 'vm-resourcegroupname' with the Name and Resource group name of the VM for which the Guest OS metrics need to be monitored.

  This enables PowerShell remoting for the respective VM with HTTPS protocol. To know more, click here.

  Note: This command opens port 5986 on the virtual machine's firewall, allowing anyone to connect. To limit access, you can edit the firewall rule and specify the IP address of the allowed source (such as the Applications Manager machine).

2. Run Applications Manager with administrator privilege.

3. Perform the below steps in Applications Manager Server to enable Powershell Remoting (To collect metrics by remoting into Azure VMs).

• Open Powershell prompt with Administrator privileges.
• Execute the following commands:
  

  Set-ExecutionPolicy Unrestricted

  If the above cmdlet produces an Error as below, you can configure Powershell Script Execution via Group Policy Editor:

  

  #To configure Windows PowerShell for remoting, type the following command:

  Enable-PSRemoting -force

  #To configure the TrustedHosts setting to ensure that appmanager can trust the connections from other servers :

  Set-Item wsman:\localhost\client\trustedhosts *

  #To increase the maximum number of concurrent shells that a user can remotely open:

  Set-Item WSMan:\localhost\Shell\MaxShellsPerUser -value 25 -WarningAction SilentlyContinue

  #To set idle timeout value for sessions : Determines how long the session stays open if the remote computer does not receive any communication from the local computer, including the heartbeat signal. When the interval expires, the session closes:

  Set-Item WSMan:\localhost\Shell\IdleTimeout -value 60000 -WarningAction SilentlyContinue

  #Restart the WinRM service for changes to take effect:

  Restart-Service WinRM

Configure Powershell Script Execution via Group Policy Editor

• Open the Group Policy Editor from Control Panel→ Edit Group Policy (or) run gpedit.msc from Start menu.
• To configure, navigate under Computer Configuration to Policies\Administrative Templates\Windows Components\Windows PowerShell.
• You should see a setting called Turn on Script Execution like in the following image:

• Double-click the setting. You will want to enable it and select an option from the drop down.

• Set it to “Allow All Scripts”.
• Click Apply and OK.

Microsoft Azure SQL Database

Here are the prerequisites to monitor Database Query Statistics in the Azure SQL Database monitor:

User Privileges:

To monitor Azure SQL Database Query Statistics, the SQL user account used for monitoring should have either Admin permissions or VIEW SERVER STATE permission. Additionally, the user must be granted permission for both the master database and the Azure SQL database. To create a user and provide access to both databases, follow the steps below:

1. To create a login from the master database, execute the following command:

   CREATE LOGIN <login_name> WITH PASSWORD = '<password>';
   GO

2. To grant access to both the master database and the current SQL database, create the user by executing the following command in both the master and Azure SQL database:

   CREATE USER <user_name> FOR LOGIN <login_name> WITH DEFAULT_SCHEMA = dbo;

3. To grant VIEW SERVER STATE PERMISSION, execute the following query in the master database:

   ALTER SERVER ROLE ##MS_ServerStateReader##
   ADD MEMBER <user_name>;
   GO

Firewall rule configuration in portal:

• In Azure portal, navigate to the Azure SQL database to be monitored → Click on Overview → Select Set Server Firewall → Add your Client IPs to the list. The client must add all their public IPs under the firewall settings in the SQL server.
• Refer to this linkto learn how to set up the server firewall.

  

Allowing outgoing access on port 1433:

• For Applications manager to access and monitor the Azure SQL database, ensure that the firewall on your network and Applications Manager installed server allows outgoing communication on TCP port 1433.

Azure Kubernetes Service (AKS)

1. Install AzureCLI*:

   Install the Azure CLI on an Applications Manager-installed machine (Windows or Linux) to configure the cluster with kubectl for monitoring. Learn more.

2. Install Kubectl*:
   • If kubectl has already been installed, find the version of the kubectl that is using the following command in the command prompt.

     kubectl version --client

     If the version is incompatible, then install the compatible version.
   • Install the compatible Kubectl utility executable file (kubectl.exe) by executing the following command in command prompt:

     az aks install-cli --client-version [client-version]

     The above command is bundled with both kubectl.exe and kubelogin.exe. Here, [client-version] refers to the compatible client-version to be installed. To find the [client-version], go to Azure portal -> AKS Cluster -> Overview -> Cluster Configuration -> Kubernetes Version.

     Note: Choose the supported kubectl version for your AKS cluster by using a minor version that is either an older or newer kubectl relative to your cluster's Kubernetes version (kube-apiserver), consistent with the Kubernetes support policy for kubectl. The Kubernetes version of the cluster can be found in the Azure portal itself.

3. Set the Environmental path variable*:
   • You can add kubectl and kubelogin to the system environment path by adding the kubectl and kubelogin installed directory into the system path under Environment Variables → System → Path.
   • The default path of kubectl and kubelogin in Windows are:

     C:\Users\USERNAME\.azure-kubectl
     C:\Users\USERNAME\.azure-kubelogin

   • You may skip this step if you have either already specified your kubectl and kubelogin installed directory in the system path of the environment variable or have installed kubectl and kubelogin under the <Applications Manager Home>\working directory.
     Note:

     • Ensure that the user used to start the Applications Manager service has access to AWS CLI & kubectl commands.
     • If the Kubernetes cluster is created using the Authentication and Authorization mode 2 (Azure AD Authentication with Kubernetes RBAC) and mode 3 (Azure AD Authentication with Azure RBAC) then you must include the kubelogin installed directory into the system path, else it is not required.
     • Make sure to restart Applications Manager after configuring the environmental variable to run the kubectl commands.
4. Authentication and Authorization*:
   • Refer to the screenshot given below (taken from the AKS cluster creation page) to know about the three modes of Authentication and Authorization in AKS.
   • To find the Authentication and Authorization mode, go to Azure portal -> Kubernetes Services -> Choose respective cluster -> Left pane -> Settings -> Cluster Configuration -> Authentication and Authorization.
   • Local accounts with Kubernetes RBAC: No specific prerequisites are necessary.
   • Azure AD Authentication with Kubernetes RBAC: User (Microsoft Entra ID App or Organizational user) should be a member/owner of the AAD group which is associated with the Kubernetes cluster. Role binding should be done for the user to access the cluster (Refer Note for steps).
   • Azure AD Authentication with Azure RBAC: Role binding should be done for the user (Refer Note for steps)
   Note:

   • The user (Microsoft Entra ID App or Organizational user) must be the same user who added the Azure monitor.
   • To perform Azure role binding go to Azure portal -> Kubernetes Services -> Choose respective cluster -> IAM -> Add role -> Choose any of the required built-in role. Attached below is a screenshot of the built-in roles page for further reference.For more details, refer here. 
   • To perform Kubernetes role binding, refer here.
5. Configure Container Insights: To fetch metrics from Container Insights, you can do so using the az aks addon commands. Execute the following command to enable/disable Container Insights:
   • To enable Container Insights: az aks addon enable
   • To disable Container Insights: az aks addon disable
6. Enable Cluster Autoscaler: To fetch Cluster Autoscaler metrics, you need to enable and configure the cluster autoscaler on the node pool of the AKS cluster. You can enable the cluster autoscaler either while creating a cluster or for an existing cluster via Azure CLI. Learn more.

Note:* indicates that the step is mandatory.

Microsoft 365

• Prerequisites for adding the monitor (from Applications Manager Versions 16310)
• Prerequisites for adding the monitor (till Applications Manager Versions 16300)
  • Prerequisites for enabling Service Health Monitoring
• General Prerequisites for Powershell mode

Prerequisites for adding the monitor (Applicable for Applications Manager Versions from 16310):

General prerequisites:

1. Login to Azure Portal using Microsoft 365 admin credentials. Go to App registrations → New registration and enter the relevant details and click Register to create a new App registration.
2. Copy Directory (Tenant) ID and Application (Client) ID from Overview page of the application.

1. Go to API Permissions → Add a permission → Microsoft Graph → Application permissions, choose the below permissions and click Add permission.
   • Organization → Organization.Read.All
   • Reports → Reports.Read.All
   • ServiceHealth → ServiceHealth.Read.All
   • Teams → Team.ReadBasic.All
   • User → User.Read.All
   • Application → Application.Read.All
2. Click on Grant Admin Consent button.
3. Go to the Manage tab and click on Certificates & Secrets → New Client secret, provide a Name and Description, select Expires duration (Preferably 24 months) and click Add. Copy the Value of the Client Secret.

1. Enable monitoring via Powershell by following the steps given in the Enable monitoring via Powershell tab.
2. Use the Directory (Tenant) ID, Application (Client) ID and Client Secret values obtained from Step 2 and 4 to add Microsoft 365 monitor in Applications Manager.

Prerequisites to enable monitoring via Powershell:

• Please perform the general prerequisites followed by the given steps to successfully add the monitor.
• Go to the Microsoft 365 admin console and ensure that you have assigned Global Reader, SharePoint administrator roles to the user account.
• Open PowerShell window with Administrator privilege and execute the following commands:
  • Exchange Online PowerShell module:

    Install-Module -Name ExchangeOnlineManagement

  • SharePoint Online Powershell Module:

    Install-Module -Name Microsoft.Online.SharePoint.PowerShell -RequiredVersion 16.0.21116.12000

Prerequisites for adding the monitor (Applicable for Applications Manager Versions till 16300):

• Please perform the general prerequisites followed by the given steps to successfully add the monitor.
• You need to install the following modules to monitor Microsoft 365. While installing, ensure that you open Powershell with administrator privileges to execute the commands given below:
  1. Microsoft Online Service Sign-in Assistant for IT Professionals RTW * (Needed for Windows Server 2012 & below) Learn more
  2. MSOnline Module for Windows PowerShell * (Refer this KBin case of any error while installing this module):

     Install-Module -Name MSOnline

  3. Exchange Online PowerShell module:

     Install-Module -Name ExchangeOnlineManagement

  4. SharePoint Online Powershell Module:

     Install-Module -Name Microsoft.Online.SharePoint.PowerShell -RequiredVersion 16.0.21116.12000

  5. Microsoft Teams PowerShell module: (For Applications Manager versions 15110 & above):
     • Open PowerShell window in Admin mode and execute the below command:

       Install-Module MicrosoftTeams -RequiredVersion 2.3.1

     • If error occurs and asks to use -AllowClobber, then execute the below command:

       Install-Module MicrosoftTeams -RequiredVersion 2.3.1 -AllowClobber

     • Once done, execute the below command to install the Preview version:

       Install-Module PowerShellGet -Force -AllowClobber

     • Once done, close the PowerShell window. Then open a new window and execute the below command:

       Install-Module MicrosoftTeams -AllowPrerelease -RequiredVersion "1.1.9-preview"

  Please note that the ones marked with * need to be installed irrespective of the service chosen.

Prerequisites for enabling Service Health Monitoring

1. Go to https://portal.azure.com/ and login with the Microsoft 365 admin credentials.
2. Go to App Registrations and choose New Registration
3. Enter a name and click Register.
4. In the Overview page of the application, copy the Directory (Tenant) ID and Application (Client) ID
5. Go to API Permissions → choose Add a permission
6. Select Microsoft Graph → Application permissions → ServiceHealth → ServiceHealth.Read.All and click Add permission.
7. Choose Add a permission and select Microsoft Graph → Application permissions → Reports → Reports.Read.All and click Add permission.
8. Now grant Admin access for the tenant.
9. Go to the Manage tab and click on Certificates & Secrets → New Client secret.
10. Add a name in Description and select Expires duration (Preferably 24 months) and click Add.
11. Copy the value of that Client Secret.
12. Now paste all the copied values into their respective textboxes in the Add Monitor page and proceed.

General Prerequisites for Powershell mode:

• The Microsoft 365 work or school account that you use for these procedures needs to be a member of an Microsoft 365 admin role. For more information, see About Microsoft 365 admin roles. The Microsoft 365 admin account used for monitoring must be assigned the below roles: Microsoft Teams administrator (Applicable only for Applications Manager versions till 16300), Global Reader or SharePoint administrator.

• You need to use a 64-bit version of Windows because of the requirements for the Microsoft 365 modules. You can use the following 64-bit versions of Windows:
  • Windows 10
  • Windows 8.1 or Windows 8
  • Windows Server 2019
  • Windows Server 2016
  • Windows Server 2012 R2 or Windows Server 2012
  • Windows Server 2008 R2 SP1 *

    * You need to have the Microsoft .NET Framework 4.5 or higher version installed and Windows Management Framework 5.1 installed. For more information, see Installing the .NET Framework and download the latest version of Windows Management Framework.

• You need to install PowerShell version 5.1
  

  To check the PowerShell version installed, open up a PowerShell prompt and execute the below command:

  >$PSVersionTable

  Check for the PSVersion attribute from the output to find out the version.

• Windows PowerShell needs to be configured to run scripts for data collection. To do this, execute the following command in a Windows PowerShell session with administrator privileges.

  >Set-ExecutionPolicy Unrestricted

AWS Monitoring

In Applications Manager, we require AWS Access keys [Access key & Secret Access key] to authenticate and retrieve key performance metrics from AWS portal.

Note: In addition to secret keys, we also require 'List' and 'Read' action type Amazon APIs permissions. Furthermore, we require 'Write' action type APIs permissions for Amazon EC2 actions [Start, Stop, Reboot] actions alone.

Creating Access Keys

To create AWS access keys, login to the AWS console as root/IAM user and in the navigation bar on the upper right, choose your account name or number and then choose Security Credentials. To generate the access key, click on Create Access Key under Access Keys section. You can either copy the key or download it as a .csv file.

Grant API Permissions

By default, AWS users with administrator privileges have access to all the AWS Services APIs. If the user wishes to grant admin access privileges, he can provide the admin user access keys to configure AWS monitor. If the user however, wishes to provide limited permissions access keys, then he needs to create a separate policy with the required APIs and attach this policy to an IAM user. This can be done directly or can be attached to the 'Group' in which the IAM user is associated.

1. To create a policy, sign in to AWS console and go to IAM console with the user that has administrator permissions and select Policies → Create policy.
2. Choose the JSON tab and copy the text from the following JSON policy document and paste it into the JSON text box. View the list of APIs required for each AWS Service supported in Applications Manager

   Policy content in JSON Format:

   { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "eks:DescribeFargateProfile", "ec2:DescribeInstances", "cloudwatch:GetMetricData", "dynamodb:ListTables", "ec2:DescribeRegions", "sns:ListTopics", "ce:GetCostAndUsage", "s3:ListBucket", "ecs:ListServices", "elasticbeanstalk:DescribeEnvironmentResources", "elasticloadbalancing:DescribeLoadBalancers", "eks:DescribeNodegroup", "elasticbeanstalk:DescribeEnvironments", "ec2:StartInstances", "dynamodb:DescribeTable", "ecs:ListTasks", "autoscaling:DescribeAutoScalingGroups", "ec2:DescribeVolumes", "rds:DescribeDBInstances", "ecs:DescribeServices", "ecs:DescribeContainerInstances", "ecs:DescribeTasks", "dynamodb:DescribeLimits", "ecs:ListClusters", "ec2:RebootInstances", "sqs:ListQueues", "eks:ListNodegroups", "sns:ListSubscriptionsByTopic", "lambda:ListFunctions", "lambda:GetFunction", "sqs:GetQueueAttributes", "dynamodb:DescribeStream", "cloudwatch:GetMetricStatistics", "ec2:StopInstances", "ecs:DescribeClusters", "ce:GetCostForecast", "eks:ListFargateProfiles", "s3:ListAllMyBuckets", "elasticbeanstalk:DescribeEvents", "elasticloadbalancing:DescribeTargetHealth", "elasticloadbalancing:DescribeTargetGroups", "eks:DescribeCluster", "ecs:ListContainerInstances", "eks:ListClusters", "sts:GetCallerIdentity", "s3:GetBucketLocation", "rds:DescribeDBClusters", "ec2:DescribeInstanceAttribute", "cloudwatch:ListMetrics", "ec2:GetConsoleOutput", "cloudformation:ListStackResources", "cloudfront:GetDistribution", "cloudfront:ListDistributions", "cloudfront:ListInvalidations", "elasticfilesystem:DescribeFileSystems", "elasticfilesystem:DescribeMountTargets", "elasticloadbalancing:DescribeLoadBalancerAttributes", "directconnect:DescribeConnections", "ecr:DescribeRepositories", "ecr:DescribeImages", "ec2:DescribeNatGateways", "fsx:DescribeFileCaches", "route53:ListHealthChecks", "route53:GetHealthCheck", "route53:GetHealthCheckStatus", "route53:GetHealthCheckLastFailureReason", "transfer:DescribeServer", "transfer:ListServers", "transfer:ListUsers", "wafv2:ListWebACLs", "wafv2:GetWebACL", "cloudhsm:DescribeClusters", "kms:ListKeys", "kms:DescribeKey", "kms:GetKeyRotationStatus", "kms:ListAliases", "kms:ListGrants", "kms:DescribeCustomKeyStores", "secretsmanager:ListSecrets", "secretsmanager:DescribeSecret", "storagegateway:ListGateways", "storagegateway:DescribeGatewayInformation", "storagegateway:ListFileShares", "storagegateway:DescribeSMBFileShares", "storagegateway:DescribeNFSFileShares", "storagegateway:ListVolumes", "storagegateway:DescribeStorediSCSIVolumes", "storagegateway:DescribeCachediSCSIVolumes", "dms:DescribeReplicationInstances", "dms:DescribeReplicationTasks", "dms:DescribeEvents", "dms:DescribeEndpoints", "mq:ListBrokers", "mq:DescribeBroker", "mq:ListConfigurations", "mq:DescribeConfiguration" ], "Resource": "*" },{"Sid": "VisualEditor1","Effect": "Allow","Action": "apigateway:GET","Resource": [ "arn:aws:apigateway:*::/restapis/*", "arn:aws:apigateway:*::/restapis"]},{"Sid": "VisualEditor2","Effect": "Allow","Action": "apigateway:GET","Resource": [ "arn:aws:apigateway:*::/apis/*","arn:aws:apigateway:*::/apis"]}]}

3. Fill in the required details and click on Create Policy.
4. Select the policy you created and click on Actions → Attach. Choose the user to whom you want to attach the policy to and click on Attach Policy.
5. Once the policy is attached, required API permissions will be granted to the user.

Finally, use the access keys created in the above steps to add the AWS monitor in Applications Manager.

List of APIs required for each AWS Service supported in Applications Manager

Category	APM Monitor Name	Service Name in AWS Portal	List of APIs
Billing	Billing statistics	Cost Explorer Service	GetCostAndUsage, GetCostForecast
Compute	EC2 (Elastic Compute Cloud)	EC2	DescribeVolumes, DescribeInstances, DescribeRegions, DescribeInstanceAttribute
	EC2 Actions (System log, start, stop & reboot instances)	EC2	GetConsoleOutput, StartInstances , StopInstances, RebootInstances
	Elastic Beanstalk	EC2 Auto Scaling	DescribeAutoScalingGroups, ListStackResources
	Elastic Beanstalk	Elastic Beanstalk	DescribeEnvironments, DescribeEnvironmentResources, DescribeEvents
	ELB (Elastic Load Balancing)	ELB v2	DescribeLoadBalancers, DescribeLoadBalancerAttributes, DescribeTargetGroups, DescribeTargetHealth
	Lambda	Lambda	ListFunctions, GetFunction
Containers	ECS (Elastic Container Service)	Elastic Container Service	DescribeClusters, DescribeContainerInstances, DescribeServices, DescribeTasks, ListClusters, ListContainerInstances, ListServices, ListTasks
	EKS (Elastic Kubernetes Service)	EKS	ListFargateProfiles, DescribeNodegroup, ListNodegroups, DescribeFargateProfile, DescribeCluster, ListClusters
	Elastic Container Registry	ECR	ecr:DescribeRepositories, ecr:DescribeImages
Database	DynamoDB	DynamoDB	ListTables, DescribeTable, DescribeLimits, DescribeStream
	RDS (Relational Database Service)	RDS	DescribeDBInstances, DescribeDBClusters
Integration	ActiveMQ	Amazon MQ	ListBrokers, DescribeBroker, ListConfigurations, DescribeConfiguration
	RabbitMQ	Amazon MQ	ListBrokers, DescribeBroker, ListConfigurations, DescribeConfiguration
	SQS (Simple Queue Service)	SQS	ListQueues, GetQueueAttributes
	SNS (Simple Notification Service)	SNS	ListTopics, ListSubscriptionsByTopic
Monitoring	To collect performance metrics from CloudWatch	CloudWatch	GetMetricData, GetMetricStatistics, ListMetrics
Migration and Transfer	File Transfer Family	AWS Transfer Family	ListServers, DescribeServer, ListUsers
	DMS Replication Instance	AWS Database Migration Service	DescribeReplicationInstances, DescribeReplicationTasks, DescribeEvents, DescribeEndpoints
	DMS Replication Task	AWS Database Migration Service	DescribeReplicationInstances, DescribeReplicationTasks, DescribeEvents, DescribeEndpoints
Networking	Cloudfront	CloudFront	ListDistributions, GetDistribution, ListInvalidations
	API Gateway	API Gateway	/restapis, /restapis/*, /apis, /apis/*
	NAT Gateways	EC2	ec2:DescribeNatGateways
	Direct Connect	Direct Connect	directconnect:DescribeConnections
	Route 53 (Health Checks)	Route 53	route53:ListHealthChecks, route53:GetHealthCheck, route53:GetHealthCheckStatus, route53:GetHealthCheckLastFailureReason
Security	AWS monitor authentication/addition	STS (Security Token Service)	GetCallerIdentity
	CloudHSM	AWS CloudHSM	DescribeClusters
	Key Management Service	AWS Key Management Service	ListKeys, DescribeKey, ListGrants, ListAliases, DescribeCustomKeyStores, GetKeyRotationStatus
	Secrets Manager	AWS Secrets Manager	ListSecrets, DescribeSecre
	Web Application Firewall	AWS WAF	ListWebACLs, GetWebACL
Storage	S3 (Simple Storage Service)	S3	ListAllMyBuckets, ListBucket, GetBucketLocation
	EFS (Elastic File System)	EFS	DescribeMountTargets, DescribeFileSystems
	FSx (File Cache)	FSx	fsx:DescribeFileCaches
	Storage Gateway	AWS Storage Gateway	storagegateway:ListGateways, storagegateway:DescribeGatewayInformation
	Storage Gateway File Share	AWS Storage Gateway	storagegateway:ListFileShares, storagegateway:DescribeSMBFileShares, storagegateway:DescribeNFSFileShares
	Storage Gateway Volume	AWS Storage Gateway	storagegateway:ListVolumes, storagegateway:DescribeStorediSCSIVolumes, storagegateway:DescribeCachediSCSIVolumes

AWS API Gateway

AWS account users are required to use their AWS Access Key and Secret Access Key to add an AWS monitor in Applications Manager. By default, AWS users have administrator privileges and can access AWS Service APIs. However, if your AWS user account has limited permission, here is the list of APIs used to collect metrics from the respective AWS services and performance metrics from CloudWatch:

• REST API
  • GetRestApis
  • GetRestApi
• HTTP API/WebSocket API
  • GetApis
  • GetApi

The common API call GetMetricData is used for all the metrics that we collect from CloudWatch.

AWS EC2 Instances

To collect operating system-level metrics like Memory and Disk, you must deploy the Cloud-Watch Agent inside EC2 instance. The agent will send your data to Cloud-Watch from where Applications Manager fetches and displays it in the console. Click here to know more about how you can collect metrics from Amazon ec2 instances and on-premises servers with the Cloud-Watch Agent.

AWS account users are required to use their AWS Access Key and Secret Access Key to add an AWS monitor in Applications Manager. By default, AWS users have administrator privileges and can access AWS Service APIs. However, if your AWS user account has limited permission, here is the list of APIs used to collect metrics from the respective AWS services and performance metrics from CloudWatch:

• EC2 - DescribeVolumes, DescribeInstances, DescribeRegions, DescribeInstanceAttribute
• EC2 actions - GetConsoleOutput, StartInstances , StopInstances, RebootInstances

The common API calls GetMetricStatistics and ListMetrics are used for all the metrics that we collect from CloudWatch.

AWS RDS Instances

AWS account users are required to use their AWS Access Key and Secret Access Key to add an AWS monitor in Applications Manager. By default, AWS users have administrator privileges and can access AWS Service APIs. However, if your AWS user account has limited permission, here is the list of APIs used to collect metrics from the respective AWS services and performance metrics from CloudWatch:

• DescribeDBInstances
• DescribeDBClusters

The common API call GetMetricData is used for all the metrics that we collect from CloudWatch.

AWS S3 Buckets

AWS account users are required to use their AWS Access Key and Secret Access Key to add an AWS monitor in Applications Manager. By default, AWS users have administrator privileges and can access AWS Service APIs. However, if your AWS user account has limited permission, here is the list of APIs used to collect metrics from the respective AWS services and performance metrics from CloudWatch:

• ListAllMyBuckets
• ListBuckets
• GetBucketLocation

The common API call GetMetricData is used for all the metrics that we collect from Cloudwatch.

AWS Direct Connect Monitoring

AWS account users are required to use their AWS Access Key and Secret Access Key to add an AWS monitor in Applications Manager. By default, AWS users have administrator privileges and can access AWS Service APIs. However, if your AWS user account has limited permission, here is the list of APIs used to collect metrics from the respective AWS services and performance metrics from CloudWatch:

• DescribeConnections

The common API call GetMetricData is used for all the metrics that we collect from CloudWatch.

AWS DynamoDB Monitoring

AWS account users are required to use their AWS Access Key and Secret Access Key to add an AWS monitor in Applications Manager. By default, AWS users have administrator privileges and can access AWS Service APIs. However, if your AWS user account has limited permission, here is the list of APIs used to collect metrics from the respective AWS services and performance metrics from CloudWatch:

• ListTables
• DescribeTable
• DescribeLimits
• DescribeStream

The common API call GetMetricStatistics is used for all the metrics that we collect from CloudWatch.

AWS Billing

AWS account users are required to use their AWS Access Key and Secret Access Key to add an AWS monitor in Applications Manager. By default, AWS users have administrator privileges and can access AWS Service APIs. However, if your AWS user account has limited permission, here is the list of APIs used to collect metrics from the respective AWS services and performance metrics from CloudWatch:

• GetCostAndUsage
• GetCostForecast

AWS Cloudfront

AWS account users are required to use their AWS Access Key and Secret Access Key to add an AWS monitor in Applications Manager. By default, AWS users have administrator privileges and can access AWS Service APIs. However, if your AWS user account has limited permission, here is the list of APIs used to collect metrics from the respective AWS services and performance metrics from CloudWatch:

• ListDistributions
• GetDistribution
• ListInvalidations

The common API calls GetMetricData and ListMetrics are used for all the metrics that we collect from CloudWatch.

• To monitor additional metrics, for deep insights into a CloudFront distribution, refer the AWS documentation.
• For enabling additional metrics, refer the documentation to know about additional cost.

AWS Elastic Load Balancer (ELB)

AWS account users are required to use their AWS Access Key and Secret Access Key to add an AWS monitor in Applications Manager. By default, AWS users have administrator privileges and can access AWS Service APIs. However, if your AWS user account has limited permission, here is the list of APIs used to collect metrics from the respective AWS services and performance metrics from CloudWatch:

• DescribeLoadBalancers
• DescribeLoadBalancerAttributes
• DescribeTargetGroups
• DescribeTargetHealth

The common API calls GetMetricData and ListMetrics are used for all the metrics that we collect from CloudWatch.

Amazon File Transfer Family

AWS account users are required to use their AWS Access Key and Secret Access Key to add an AWS monitor in Applications Manager. By default, AWS users have administrator privileges and can access AWS Service APIs. However, if your AWS user account has limited permission, here is the list of APIs used to collect metrics from the respective AWS services and performance metrics from CloudWatch:

• ListServers
• DescribeServer
• ListUsers

The common API call GetMetricData is used for all the metrics that we collect from CloudWatch.

AWS SNS

AWS account users are required to use their AWS Access Key and Secret Access Key to add an AWS monitor in Applications Manager. By default, AWS users have administrator privileges and can access AWS Service APIs. However, if your AWS user account has limited permission, here is the list of APIs used to collect metrics from the respective AWS services and performance metrics from CloudWatch:

• ListTopics
• ListSubscriptionsByTopic

The common API call GetMetricStatistics is used for all the metrics that we collect from CloudWatch.

AWS Lambda

AWS account users are required to use their AWS Access Key and Secret Access Key to add an AWS monitor in Applications Manager. By default, AWS users have administrator privileges and can access AWS Service APIs. However, if your AWS user account has limited permission, here is the list of APIs used to collect metrics from the respective AWS services and performance metrics from CloudWatch:

• ListFunctions
• GetFunction

The common API call GetMetricData is used for all the metrics that we collect from CloudWatch.

AWS NAT Gateways

AWS account users are required to use their AWS Access Key and Secret Access Key to add an AWS monitor in Applications Manager. By default, AWS users have administrator privileges and can access AWS Service APIs. However, if your AWS user account has limited permission, here is the list of APIs used to collect metrics from the respective AWS services and performance metrics from CloudWatch:

• DescribeNatGateways

The common API call GetMetricData is used for all the metrics that we collect from CloudWatch.

AWS Elastic Beanstalk

AWS account users are required to use their AWS Access Key and Secret Access Key to add an AWS monitor in Applications Manager. By default, AWS users have administrator privileges and can access AWS Service APIs. However, if your AWS user account has limited permission, here is the list of APIs used to collect metrics from the respective AWS services and performance metrics from CloudWatch:

• DescribeEnvironments
• DescribeEnvironmentResources
• DescribeAutoScalingGroups
• DescribeEvents
• ListStackResources

The common API call GetMetricData is used for all the metrics that we collect from CloudWatch.

• In the AWS console, select ElasticBeanstalk under Services.
• Select the environment that needs the metrics to be enabled.
• Click Configuration on the left side menu.
• Choose Monitoring → click Edit → select Enhanced → select all the metrics for environment and instance.
• Click Apply.

AWS Elastic Container Registry

AWS account users are required to use their AWS Access Key and Secret Access Key to add an AWS monitor in Applications Manager. By default, AWS users have administrator privileges and can access AWS Service APIs. However, if your AWS user account has limited permission, here is the list of APIs used to collect metrics from the respective AWS services and performance metrics from CloudWatch:

• DescribeRepositories
• DescribeImages

The common API call GetMetricData is used for all the metrics that we collect from CloudWatch.

AWS FSx File Cache

AWS account users are required to use their AWS Access Key and Secret Access Key to add an AWS monitor in Applications Manager. By default, AWS users have administrator privileges and can access AWS Service APIs. However, if your AWS user account has limited permission, here is the list of APIs used to collect metrics from the respective AWS services and performance metrics from CloudWatch:

• DescribeFileCaches

The common API call GetMetricData is used for all the metrics that we collect from CloudWatch.

AWS Route 53 Health Checks

AWS account users are required to use their AWS Access Key and Secret Access Key to add an AWS monitor in Applications Manager. By default, AWS users have administrator privileges and can access AWS Service APIs. However, if your AWS user account has limited permission, here is the list of APIs used to collect metrics from the respective AWS services and performance metrics from CloudWatch:

• ListHealthChecks
• GetHealthCheck
• GetHealthCheckStatus
• GetHealthCheckLastFailureReason

The common API call GetMetricData is used for all the metrics that we collect from CloudWatch.

Note: Enable the Measure Latency option to monitor latency-related metrics when creating a Route 53 Health Check.

AWS SQS

AWS account users are required to use their AWS Access Key and Secret Access Key to add an AWS monitor in Applications Manager. By default, AWS users have administrator privileges and can access AWS Service APIs. However, if your AWS user account has limited permission, here is the list of APIs used to collect metrics from the respective AWS services and performance metrics from CloudWatch:

• ListQueues
• GetQueueAttributes

The common API call GetMetricData is used for all the metrics that we collect from CloudWatch.

AWS Elastic Container Service (ECS)

AWS account users are required to use their AWS Access Key and Secret Access Key to add an AWS monitor in Applications Manager. By default, AWS users have administrator privileges and can access AWS Service APIs. However, if your AWS user account has limited permission, here is the list of APIs used to collect metrics from the respective AWS services and performance metrics from CloudWatch:

• ListClusters
• DescribeClusters
• ListContainerInstances
• DescribeContainerInstances
• ListServices
• DescribeServices
• ListTasks
• DescribeTasks

The common API call GetMetricData is used for all the metrics that we collect from Cloudwatch.

• To enable Container Insights on an existing Amazon ECS cluster, enter the following command. You must be running version 1.16.200 or later of the AWS CLI for the following command to work. Learn more

  aws ecs update-cluster-settings --cluster <ClusterName> --settings name=containerInsights,value=disabled

• To deploy the CloudWatch agent to collect instance-level metrics from Amazon ECS clusters hosted on EC2 instance, download the JSON file, save it and then execute the following command in CLI. Learn more

  aws cloudformation create-stack --stack-name CWAgentECS-<CLUSTERNAME>-<REGION> --template-body file://<FILENAME>.json --parameters ParameterKey=ClusterName,ParameterValue=<CLUSTERNAME> ParameterKey=CreateIAMRoles,ParameterValue=True --capabilities <CAPABILITY_NAMED_IAM> --region <REGION>

AWS Elastic File System (EFS)

AWS account users are required to use their AWS Access Key and Secret Access Key to add an AWS monitor in Applications Manager. By default, AWS users have administrator privileges and can access AWS Service APIs. However, if your AWS user account has limited permission, here is the list of APIs used to collect metrics from the respective AWS services and performance metrics from CloudWatch:

• DescribeMountTargets
• DescribeFileSystems

The common API call GetMetricData is used for all the metrics that we collect from CloudWatch.

AWS Elastic Kubernetes Service (EKS)

AWS account users are required to use their AWS Access Key and Secret Access Key to add an AWS monitor in Applications Manager. By default, AWS users have administrator privileges and can access AWS Service APIs. However, if your AWS user account has limited permission, here is the list of APIs used to collect metrics from the respective AWS services and performance metrics from CloudWatch:

1. Check if you have given access for the following APIs to the IAM user whose credentials are being used for monitoring EKS:
   • ListFargateProfiles
   • DescribeNodegroup
   • ListNodegroups
   • DescribeFargateProfile
   • DescribeCluster
   • ListClusters
   • GetMetricData
   • GetMetricStatistics
2. Download and install the AWS CLI (Windows or Linux) to configure cluster with kubectl for monitoring. Learn more
   • Windows: Execute the downloaded file to open the Installation wizard and complete the installation.
   • Linux: Execute the below commands to unzip the downloaded file, execute the program and complete the installation. Learn more
     • unzip awscliv2.zip
     • sudo ./aws/install
   Note: AWS CLI is used only for AWS EKS monitoring. Uninstall AWS CLI if no longer needed.
3. Download the latest Kubectl utility executable file (Windows or Linux). Learn more
   • Windows: Place the downloaded executable file under <Applications Manager Home>\working\ directory (or) add kubectl to the system environment path.
   • Linux: Execute the following commands (or) add kubectl to the system path.
     • chmod +x ./kubectl
     • mkdir -p $HOME/bin && cp ./kubectl $HOME/bin/kubectl && export PATH=$PATH:$HOME/bin
4. To fetch metrics from Container Insights, implement the prerequisites for container insights. However, to execute the commands specified in the prerequisites, AWS CLI and kubectl should be configured.
   • To configure AWS CLI, execute the below command and provide the necessary credentials:
     aws configure
   • To configure kubectl, execute the below command:
     aws eks --region {region} update-kubeconfig --name {cluster_name} --kubeconfig <FILEPATH>.
5. Nodes (EC2 instances) should have the policy CloudWatchAgentServerPolicy to send container insights metrics to CloudWatch.

Amazon ActiveMQ

AWS account users are required to use their AWS Access Key and Secret Access Key to add an AWS monitor in Applications Manager. By default, AWS users have administrator privileges and can access AWS Service APIs. However, if your AWS user account has limited permission, here is the list of APIs used to collect metrics from the respective AWS services and performance metrics from CloudWatch:

• ListBrokers
• DescribeBroker
• ListConfigurations
• DescribeConfiguration

The common API call GetMetricData is used for all the metrics that we collect from CloudWatch.

Amazon CloudHSM

AWS account users are required to use their AWS Access Key and Secret Access Key to add an AWS monitor in Applications Manager. By default, AWS users have administrator privileges and can access AWS Service APIs. However, if your AWS user account has limited permission, here is the list of APIs used to collect metrics from the respective AWS services and performance metrics from CloudWatch:

• DescribeClusters

The common API call GetMetricData is used for all the metrics that we collect from CloudWatch.

Amazon DMS Replication Instance

AWS account users are required to use their AWS Access Key and Secret Access Key to add an AWS monitor in Applications Manager. By default, AWS users have administrator privileges and can access AWS Service APIs. However, if your AWS user account has limited permission, here is the list of APIs used to collect metrics from the respective AWS services and performance metrics from CloudWatch:

• DescribeReplicationInstances
• DescribeReplicationTasks
• DescribeEndpoints
• DescribeEvents

The common API call GetMetricData is used for all the metrics that we collect from CloudWatch.

Amazon DMS Replication Task

AWS account users are required to use their AWS Access Key and Secret Access Key to add an AWS monitor in Applications Manager. By default, AWS users have administrator privileges and can access AWS Service APIs. However, if your AWS user account has limited permission, here is the list of APIs used to collect metrics from the respective AWS services and performance metrics from CloudWatch:

• DescribeReplicationTasks
• DescribeReplicationInstances
• DescribeEndpoints

The common API call GetMetricData is used for all the metrics that we collect from CloudWatch.

Amazon Key Management Service

AWS account users are required to use their AWS Access Key and Secret Access Key to add an AWS monitor in Applications Manager. By default, AWS users have administrator privileges and can access AWS Service APIs. However, if your AWS user account has limited permission, here is the list of APIs used to collect metrics from the respective AWS services and performance metrics from CloudWatch:

• ListKeys
• DescribeKey
• DescribeCustomKeyStores
• ListGrants
• GetKeyRotationStatus

The common API call GetMetricData is used for all the metrics that we collect from CloudWatch.

Amazon RabbitMQ

AWS account users are required to use their AWS Access Key and Secret Access Key to add an AWS monitor in Applications Manager. By default, AWS users have administrator privileges and can access AWS Service APIs. However, if your AWS user account has limited permission, here is the list of APIs used to collect metrics from the respective AWS services and performance metrics from CloudWatch:

• ListBrokers
• DescribeBroker
• ListConfigurations
• DescribeConfiguration

The common API call GetMetricData is used for all the metrics that we collect from CloudWatch.

Amazon Storage Gateway

AWS account users are required to use their AWS Access Key and Secret Access Key to add an AWS monitor in Applications Manager. By default, AWS users have administrator privileges and can access AWS Service APIs. However, if your AWS user account has limited permission, here is the list of APIs used to collect metrics from the respective AWS services and performance metrics from CloudWatch:

• ListGateways
• DescribeGatewayInformation

The common API call GetMetricData is used for all the metrics that we collect from CloudWatch.

Amazon Storage Gateway File Share

AWS account users are required to use their AWS Access Key and Secret Access Key to add an AWS monitor in Applications Manager. By default, AWS users have administrator privileges and can access AWS Service APIs. However, if your AWS user account has limited permission, here is the list of APIs used to collect metrics from the respective AWS services and performance metrics from CloudWatch:

• ListFileShares
• DescribeNFSFileShares
• DescribeSMBFileShares

The common API call GetMetricData is used for all the metrics that we collect from CloudWatch.

Amazon Storage Gateway Volume

AWS account users are required to use their AWS Access Key and Secret Access Key to add an AWS monitor in Applications Manager. By default, AWS users have administrator privileges and can access AWS Service APIs. However, if your AWS user account has limited permission, here is the list of APIs used to collect metrics from the respective AWS services and performance metrics from CloudWatch:

• ListVolumes
• DescribeCachediSCSIVolumes
• DescribeStorediSCSIVolumes

The common API call GetMetricData is used for all the metrics that we collect from CloudWatch.

Amazon Secrets Manager

AWS account users are required to use their AWS Access Key and Secret Access Key to add an AWS monitor in Applications Manager. By default, AWS users have administrator privileges and can access AWS Service APIs. However, if your AWS user account has limited permission, here is the list of APIs used to collect metrics from the respective AWS services and performance metrics from CloudWatch:

• ListSecrets
• DescribeSecret

The common API call GetMetricData is used for all the metrics that we collect from CloudWatch.

Amazon Web Application Firewall

AWS account users are required to use their AWS Access Key and Secret Access Key to add an AWS monitor in Applications Manager. By default, AWS users have administrator privileges and can access AWS Service APIs. However, if your AWS user account has limited permission, here is the list of APIs used to collect metrics from the respective AWS services and performance metrics from CloudWatch:

• ListWebACLs
• GetWebACL

The common API call GetMetricData is used for all the metrics that we collect from CloudWatch.

Google Cloud Platform

• Prerequisites for monitoring Google Cloud Platform (GCP) metrics
• Steps to create an OAuth Provider for GCP

Prerequisites for monitoring Google Cloud Platform (GCP) metrics

1. Login to the GCP Console with Owner access to the Project to be monitored.
2. Go to GCP Console → APIs & Services → Library, to enable the following APIs :
   • Cloud Resource Manager API
   • Cloud Asset API
   • Compute Engine API
   • Stackdriver API
   • Stackdriver Monitoring API
   • Cloud Storage
   • Google Cloud Storage JSON API
   • Cloud Filestore API
   • Kubernetes Engine API
3. Create an OAuth provider using the steps mentioned in this link to monitor a GCP project.
4. Once an OAuth provider is created, verify if it has an Access Token and Refresh Token.
5. You can use OAuth provider to add multiple projects under the same account, but ensure that the APIs are enabled in each project before adding a monitor in AppManager.

Steps to create an OAuth Provider for GCP

1. In Applications Manager, go to Settings → Discovery and Data Collection → Credential Settings → OAuth Provider and select Add OAuth Provider. (Make sure you are logged in from a fully qualified domain name as in the help card)
2. Copy the Redirect URL from the Add OAuth Provider window.
3. (Skip to the next step if app is already created) In the GCP Console, go to Google Auth Platform → Branding. If the app is not yet created, click Get Started, provide the necessary App Information, select External under Audience, and click Create.
4. Go to GCP Console → Google Auth Platform → Branding. Under Authorized domain, click 'Add Domain' and enter the domain name from the Redirect URL. Then press the enter key and click the Save button. Navigate to Google Auth Platform → Audience and ensure that the User Type is set to External.
5. Go to GCP Console → Google Auth Platform  → Clients → Create Client.
6. Select Web Application, enter the copied Redirect URI in the Authorised redirect URIs section, press Enter and click Create.
7. Now the list of clients created will be displayed. Locate the client you have created for this process and click the respective pencil icon under the 'Action' column.
8. You can find the 'Client ID' and 'Client Secret' under the 'Additional Information' section. Copy it and fill in the Add OAuth Provider window.
9. Fill the following as below:
   • Grant Type - Authorization Code
   • Authorization Endpoint URL - https://accounts.google.com/o/oauth2/auth
   • Scope - https://www.googleapis.com/auth/cloud-platform
   • Query parameters:
         Name - access_type
         Value - offline
   • Token endpoint URI - https://oauth2.googleapis.com/token
   • Token request method - Post request body
   • Authenticated request method - Basic Authentication
   Note : Remaining fields should remain as default.
10. Click Authorize button and authorize using the account to login to GCP.
11. Once created, verify whether both Access token and Refresh token are generated.
    
    Note: If the refresh token is not generated, verify that the steps above were followed correctly. Also, check if the account is already connected to the Google Auth Platform. To do this, go to Google Account Settings → Data & Privacy → Third-party apps & services and check if the Google Auth Platform is listed. If it is, delete the connection and try again. If this account is being used for a different purpose, consider using a separate Google account to authorize OAuth to onboard GCP monitoring in Applications Manager.
12. Use this OAuth Provider in the Google Cloud Platform's New Monitor page.

Oracle Cloud Infrastructure

To obtain data into Applications Manager, the user must have appropriate policies/permissions assigned by the administrator. To do so, follow the steps given below:

• Login as administrator into the Oracle Cloud Infrastructure console. Under Identity & security section, go to Identity → Groups option and click on Create Group button.
• Create a new group with the required group name (say 'AppManager') and add the required user to this newly-created group.
• Under Identity → Policy option, click on Create Policy button and create a new policy with the following policy statement:

ALLOW GROUP <Your Group Name> to use all-resources IN TENANCY

Example:

ALLOW GROUP AppManager to use all-resources IN TENANCY

Make sure that you are in the 'root' compartment while creating the above policy.

Details to be specified while adding the OCI monitor

To monitor the services in Oracle Cloud Infrastructure, you need to specify the RSA key pair in PEM format, fingerprint of the public key, tenancy OCID, user OCID and subscribed region while adding the Oracle Cloud monitor in Applications Manager. Browse through the following links to obtain the required details for adding the Oracle Cloud monitor:

• Tenancy OCID and User OCID - Follow these instructions to get the Tenancy OCID and User OCID.
• PEM file path - Follow these instructions to generate an API Signing Key in PEM format. After generating the PEM file, provide the file path as input. Example: C:\Users\APM\.oci\oci_api_key.pem
• Fingerprint - Follow these instructions to get the fingerprint of the public key by uploading the public key to the Oracle Cloud console.
• Subscribed regions: After logging into the Oracle Cloud console, on the top right, click drop down and then select Manage Regions. Now choose the regions that you have subscribed. View supported regions in Applications Manager

Oracle Autonomous Database

To obtain data for TableSpace, Sessions, Processes and Jobs in Applications Manager, you must configure the Oracle Wallet credentials in the Oracle Autonomous DB monitor. To do so, follow the steps given below:

• Go to Monitor Actions → Edit Monitor available on right-side of the Oracle Autonomous DB monitor dashboard page.
• Download the Oracle Wallet credentials. (Click here to learn how to download the Oracle Wallet credentials)
• After downloading, unzip the Wallet_databasename.zip file to a secured location.
• Copy the location path of that file and provide as input in the Wallet File Path field.
• Now open the tnsnames.ora file (obtained after unziping Wallet_databasename.zip file) in any text editor. This file contains the predefined services identifiable as high, medium, and low. Each service has its own TNS alias and connection string. Copy any one of the alias names (based on severity) and provide the same as input in the TNS Alias Name field. (Refer here to learn more)
• Enter the username and password used to connect to the autonomous database. (Minimum roles required for the user - CONNECT and SELECT_CATALOG_ROLE)
• Click Update.

OpenStack

Note: In OpenStack, as per policy defaults, only users with the administrative role can perform all the operations.
Each service in OpenStack has its own role-based access policies to determine which user can access the objects.
These details are defined in the respective service's policy.json / policy.yaml file.

Configuring policies for a user allows you to access the required APIs that will be used by Applications Manager to collect data.

• Authentication API: Configure the Keystone policy file to get access to GET /v3/auth/tokens API.
• Cinder Services: Configure the Cinder policy file to get access to GET /v3/{project_id}/os-services API.
• Glance Images: Configure the Glance policy file to get access to GET /v2/images API.
• Hypervisors: Configure the Nova policy file to get access to GET /os-hypervisors API.
• Neutron Agents: Configure the Neutron policy file to get access to GET /v2.0/agents API.
• Nova/Compute Services: Configure the Nova policy file to get access to GET /os-services, GET /servers/detail API.

Set aside the values of the following fields to add an Openstack monitor in Applications Manager:

• Base Authentication URL
• Tenant Name
• Username and Password
• Project-scoped Token (If applicable)

ERP

Oracle EBS

Applications Manager uses the Dynamic Monitoring Service (DMS) to monitor performance and availability of Oracle E-Business Suite. You can access performance metrics using servlets from the following URLs for different versions of EBS from Applications Managers:

• EBS R11 - http://<host>:<port>/dms0/AggreSpy
• EBS R12.0 - http://<host>:<port>/dms0/Spy
• EBS R12.2.0, R12.2.5 and Above - http://<host>:<port>/dms/Spy

For Oracle E-Business Suite Version R11i, the DMS Servlet has to be made accessible to the system where Applications Manager is running. For Versions R12.0 and R12.2.0, the DMS Servlet should be accessible by default. It is recommended that you test to ensure that the Servlet is accessible to the Applications Manager system. [The instructions given below are referred from the Oracle website.]

For Oracle E-Business Suite R11i:

By default, the dms0/AggreSpy URL is protected, allowing only the localhost (127.0.0.1) to access the AggreSpy Servlet. To view metrics from a system other than the localhost, you need to change the DMS configuration for the system running the Oracle EBS that you want to monitor by modifying the trusted.conf file. This can be done as follows:

• Open the trusted.conf file under $ORACLE_HOME/Apache/Apache/conf on a UNIX system, or%ORACLE_HOME%\Apache\Apache\conf\ on a Windows system.
• Add the Applications Manager Hostname and IPaddress in the Allow from list as shown in the following example:
  <Location ~ "/(dms0|DMS|Spy|AggreSpy)">
  Order deny,allow
  Deny from all
  Allow from localhost
  Allow from <list of TRUSTED IPs>
  </Location>
• Now open the httpd.conf and httpd_pls.conf files and check if the trusted.conf file is included. The Files are present under$ORACLE_HOME/Apache/Apache/conf on a UNIX system, or %ORACLE_HOME%\Apache\Apache\conf\ on a Windows system. If the trusted.conf file is not included, add the following lines in both the files and save:
  # Include the trusted.conf file
  include $ORACLE_HOME/Apache/Apache/conf/trusted.conf
• Restart Oracle E-Business Suite and ensure that you are able to access the URL http://<host>:<port>/dms0/AggreSpy from the Applications Manager system.

For Oracle E-Business Suite R12.0:

Ensure that you are able to access the URL http://<host>:<port>/dms0/Spy (Hostname = Hostname with domain name, Port number = OAS listening port) from the Applications Manager system.

For Oracle E-Business Suite R12.1.3:

Applications Manager uses Oracle JDBC connection to monitor it.For monitoring Oracle EBS v12.1.3, the following user privileges will be required:

• CONNECT role
• SELECT_CATALOG_ROLE role
• SELECT_ANY_TABLE role

For Oracle E-Business Suite R12.2.0, R12.2.5 and above:

Ensure that you are able to access the URL http://<host>:<port>/dms/Spy (Hostname = Hostname with domain name, Port number = Weblogic Admin Server listening port) from the Applications Manager system. Users must enter the credentials of their Weblogic Admin server in their Oracle E-Business Suite to access the URL.

Caution: Modifying trusted.conf has security implications. Modify this file only if you understand the security implications for your site. By exposing metrics to systems other than the localhost, you allow other sites to potentially view critical Oracle EBS Server internal status and runtime information.

SAP Server / SAP CCMS

• SAP Server Monitoring and SAP CCMS Monitoring requires SAP JavaConnector (JCo) to be present in Applications Manager's classpath.
• While creating a SAP Server / SAP CCMS monitor, you need a SAP user profile with the authorization objects S_RFC, S_XMI_LOG and S_XMI_PROD, which can be found by executing the transaction code SU56in SAP logon to view user authorizations.

  

Note: The user name provided while adding SAP monitor should have sufficient privileges to access CCMS and Background job metrics. To check this, the user can execute RZ20 transaction in the SAP GUI and see if the CCMS monitor sets can be displayed.

Applications Manager build 14270 and above

For Windows:

• Download and unzip the SAP JavaConnector [SAP JCo 3.1.x] from here. Depending on the hardware architecture of host machine where Applications Manager is running, make sure you download the respective zip file.
• In the machine, where Applications Manager is running, copy sapjco3.jar and sapjco3.dll and sapjco3.pdb under AppManager_home/working/lib directory.
• If Applications Manager is installed on Windows, as mentioned in SAP Note 2786882 on Windows platforms, JCo 3.1 requires the Visual Studio 2013 C/C++ runtime libraries to be installed on the system. To verify, check for the presence of the "Microsoft Visual C++ 2013 Redistributable" package in ControlPanel -> Program and Features. If not present, download and install the "Visual C++ 2013 Redistributable Package" from the Microsoft knowledge base article https://support.microsoft.com/en-us/help/4032938 and choose the package, which corresponds to the used Locale and JVM bit-width (x64 for 64-bit or x86 for 32-bit).
• Restart Applications Manager.

Note: Do not copy the sapjco3.dll file neither into the {windows-dir}/system32 nor into the {windows-dir}/SysWOW64 directory. This will break the operability of other JCo versions that are already installed on the same system. Furthermore you would risk that the current installation also would not work anymore, if the sapjco3.dll gets replaced in the respective Windows system directory in the future.

For Linux:

• Download and unzip SAP JavaConnector[SAP JCo 3.1.x] from here. Depending on the hardware processor of the host machine where Applications Manager is installed. make sure you download the respective zip file.
• In the machine, where Applications Manager is running, copy sapjco3.jar and libsapjco3.so under AppManager_home/working/lib directory.
• Restart Applications Manager.

Applications Manager build below 14270

For Windows:

• Download and unzip the SAP JavaConnector [SAP JCo 3.0.x] from here. Depending on the hardware architecture of host machine where Applications Manager is running, make sure you download the respective zip file.
• In the machine, where Applications Manager is running, copy sapjco3.jar and sapjco3.dll and sapjco3.pdb under AppManager_home/working/lib directory.
• If Applications Manager is installed on Windows, as mentioned in SAP Note 1077727 JCo 3.0 requires the Microsoft Visual Studio 2005 C/C++ runtime libraries (version 8.0.50727.6195) to be installed on the system. To verify, check for the presence of the "Microsoft redistributable runtime DLLs VS2005 SP1" in ControlPanel -> Program and Features. If not present, download and install the "Visual C++ 2005 SP1 Redistributable Package" from the Microsoft website https://www.microsoft.com/en-us/download/details.aspx?id=26347 and choose the package, which corresponds to the used JVM bit-width and processor architecture (x64 for 64-bit, x86 for 32-bit and ia64 for Itanium processors).
• Restart Applications Manager.

Note: Do not copy the sapjco3.dll file neither into the {windows-dir}/system32 nor into the {windows-dir}/SysWOW64 directory. This will break the operability of other JCo versions that are already installed on the same system. Furthermore you would risk that the current installation also would not work anymore, if the sapjco3.dll gets replaced in the respective Windows system directory in the future.

For Linux:

• Download and unzip SAP JavaConnector[SAP JCo 3.0.x] from here. Depending on the hardware processor of the host machine where Applications Manager is installed. make sure you download the respective zip file.
• In the machine, where Applications Manager is running, copy sapjco3.jar and libsapjco3.so under <Applications Manager Home>/working/lib directory.
• Restart Applications Manager.

Microsoft Dynamics CRM / 365 (On-Premise)

To monitor a Microsoft Dynamics CRM / 365 application, the user must have Administrator privileges with permission to execute WMI queries on 'root\CIMV2' namespace of the Dynamics CRM / 365 Server. To add an Microsoft Dynamics CRM / 365 application, follow the below given steps:

1. Install the latest .NET Framework on your Applications Manager machine.
2. Install/enable .NET Framework 3.5 on Applications Manager installed machine: (This needs to be done even if you have installed the latest version. To know more click here.)
   • To know how to enable .NET 3.5 in Windows Server 2008, click here.
   • To know how you can enable .NET 3.5  in other Windows Servers, click here.

   Note: The .NET Framework 3.5 prerequisite applies only to Applications Manager versions up to 173100.

3. Grant access to the following list of ports on the firewall for Microsoft Dynamics CRM / 365 monitoring:
   • Windows Management Instrumentation (WMI) (Default : TCP 445)
   • Remote Procedure Call (RPC) (Default :TCP 135)
   • Target server uses random port above 1024 by default to respond back for remote communication (DCOM) (Default : TCP 1025 to 1030)

To use Powershell for data collection, make sure proper steps are followed to enable Powershell remoting.

Note: If you want to monitor as a non-admin user, follow the steps mentioned in this link.

Microsoft Dynamics AX

To monitor a Microsoft Dynamics AX application, the user must have Administrator privileges with permission to execute WMI queries on 'root\CIMV2' namespace of the Microsoft Dynamics AX. To add an Microsoft Dynamics AX application, follow the below given steps:

1. Install the latest .NET Framework on your Applications Manager machine.
2. Install/enable .NET Framework 3.5 on Applications Manager installed machine: (This needs to be done even if you have installed the latest version. To know more click here.)
   • To know how to enable .NET 3.5 in Windows Server 2008, click here.
   • To know how you can enable .NET 3.5  in other Windows Servers, click here.

   Note: The .NET Framework 3.5 prerequisite applies only to Applications Manager versions up to 173100.

3. Firewall access for monitoring:Following are the list of ports required for monitoring:
   • Windows Management Instrumentation (WMI) (Default : TCP 445)
   • Remote Procedure Call (RPC) (Default :TCP 135)
   • Target server uses random port above 1024 by default to respond back for remote communication (DCOM) (Default : TCP 1025 to 1030)

Note: If you want to monitor as a non-admin user, follow the steps mentioned in this link.

SAP Business One

Integration Framework should be launched for SAP Business One and should be accessible from Applications Manager Server. To validate the connectivity, please execute the following API request from the 'Applications Manager' server:

• POST URL: http://HOST:PORT/B1iXcellerator/exec/ipo/iFw2.APIs/com.sap.b1i.dev.api/ipo/api2.ipo/api.caller
• Body Content type: application/atom+xml
• Request Body:
  <api.call method="users" mode="list">
  <request>
  <admin>true</admin>
  <runtime>false</runtime>
  </request>
  </api.call>

 

SAP Java

• Copy the following jars and place it under APM_HOME/working/classes

1. For Versions below 7.3:
   • Following .jar files are required from \usr\sap\<SID>\JC<InstanceNumber>\j2ee\admin\lib:
     1. admin.jar
     2. com_sap_pj_jmx.jar
     3. exception.jar
     4. logging.jar
     5. jmx.jar
   Following jar is required from
   \usr\sap\<SID>\DVEBMGS<InstanceNumber>\j2ee\j2eeclient
   :
   • sapj2eeclient.jar

1. For versions 7.3 and above:
   • Following jars are required from \usr\sap\<SID>\<Instance Name>\j2ee\cluster\bin\ext\tc~jmx\lib\ and rename as below :
     1. sap.com~tc~bl~pj_jmx~Impl.jar → tcbl_pj_jmxImpl.jar
     2. sap.com~tc~exception~impl.jar → tc_exceptionImpl.jar
     3. sap.com~tc~je~clientlib~impl.jar → tc_jeclientlibImpl.jar
     4. sap.com~tc~je~leanClient.jar → tc_jeleanClient.jar
     5. sap.com~tc~logging~java~impl.jar → tc_logging_javaImpl.jar
     6. tc~bl~base~client.jar → tcbl_baseclient.jar
     7. tc~bl~deploy~client.jar → tcbl_deployclient.jar

• Find P4 Port:
    50000+100*instance_number+20+n*5+port_index,
      where,(n - Cluster elements
      port index - Indicates p4 port [4])

The port value is a number over 50000. For each cluster element the ports begin with 50000+100*instance_number, where instance_number is a two digit number from 00 to 99 specifying the number of central instance and dialog instances.

• Click VM System Parameterslink and enable below :
  • com.sun.management.jmxremote.port
  • com.sun.management.jmxremote.ssl
  • com.sun.management.jmxremote.authenticate
• SAP User Permissions
  • Given below is the minimal set of SAP authorizations required to create and retrieve the necessary data from the monitor.
  • You need to create a SAP role with one assigned action and then assign it to a SAP user:
    • Type: UME
    • Service / Application: tc~pi~monitor~perm
    • Name: PI_PAYLOAD_MONI
  • Alternatively, you can use the predefined SAP_XI_PCK_MONITOR role that contains the above-listed action.

Servers

Windows

Applications Manager supports users with both administrator and non-administrator roles for monitoring Windows servers through WMI mode. However, it is recommended to use administrator privilege for Windows server monitoring.

Currently, Windows hardware performance monitoring is supported in SNMP and WMI monitoring mode:

Monitoring Dell hardware status:

• Dell OpenManage Server Administrator and make sure SNMP agent is enabled.
• Installation steps: https://www.dell.com/support/kbdoc/en-in/000132087/support-for-dell-emc-openmanage-server-administrator-omsa

Monitoring HP hardware status:

• HP System Insight Manager (SIM v6.2 or higher is recommended) and make sure SNMP agent is enabled
• For SNMP mode, download and install HP Insight Management Agents.
• For WMI mode, download and install HP Insight Management WBEM Providers.

SNMP Mode of monitoring:

Determine if SNMP responds for the OID properly. Below are the correct OID'S for each vendor:

• For HP: 1.3.6.1.4.1.232.2.2.2.1.0
• For Dell: 1.3.6.1.4.1.674.10892.1.300.10.1.8.1

WMI mode of monitoring:

The following conditions must be met before you can proceed troubleshooting WMI nodes:

• The node has successfully been added via WMI.
• WMI is working properly on the remote server.
• HP System Insight Manager (SIM v6.2 or higher is recommended) is installed on the remote server and running.
• Dell OpenManage Server Administrator is installed on the remote server and running.

If using WMI, execute the below cmdlet from Powershell prompt with Administrator privileges:

Set-ExecutionPolicy Unrestricted

This is to allow execution of powershell scripts, which handle proper process termination during Datacollection

For WMI Mode of Monitoring:

• In Windows Server 2008 and later versions, and in Windows Vista and later versions, use the following dynamic port range:

  Start port: 49152

  End port: 65535

• If your computer network environment uses only Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8, Windows 7, or Windows Vista, you must enable connectivity over the high port range of 49152 through 65535.
• For Windows 2000, Windows XP, and Windows Server 2003 use the following dynamic port range:

  Start port: 1025

  End port: 5000

• If your computer network environment uses Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8, Windows 7, or Windows Vista together with versions of Windows earlier than Windows Server 2008 and Windows Vista, you must enable connectivity over both the following port ranges:

  High port range: 49152 through 65535

  Low port range: 1025 through 5000

Linux

Prerequisites for monitoring Linux:

• Edit the sudo configuration file using the following command:

  sudo visudo

• Add the following line to the end of the file:

  <USERNAME>ALL= NOPASSWD: /bin/systemctl

Note: The above steps are unnecessary if the setup has been installed with ROOT user privilege. Ensure that the prerequisites are implemented correctly; otherwise, the setup might not start or stop properly.

The Serial number attribute is supported in SSH/Telnet mode for Linux servers. To retrieve the Serial number, use the following command:

dmidecode

If the dmidecode command is not installed on the Linux server, install it before proceeding. The command requires SUDO permissions. To enable these permissions, complete the following steps in the targeted Linux server:

• Log in to the Linux device, open command prompt, and assign read permissions to the specified directory to enable execution of the dmidecode executable file.
• To set read-only permissions for the dmidecode files, use the following commands:

  sudo chmod 444 /sys/firmware/dmi/tables/DMI

   

  sudo chmod 444 /sys/firmware/dmi/tables/smbios_entry_point

Note: In some Linux distributions, these files may not be available. If so, use root user account to retrieve the serial number.

Prerequisites for monitoring Cron jobs:

• Curl must be installed in the remote Linux machine.
• Script linked to the cron job must have executable permission.
• The machine where Applications Manager is installed should be reachable from the remote Linux machine via SSL port without any proxy server.
• The remote machine where the cron job is running must be synced with the correct time zone.
• Cron job interval should be a minimum of five minutes.
• Cron job uses HTTPs protocol to send responses to the machine where Applications Manager is installed and is validated using the admin user's Rest API key. If the admin user's API key is regenerated, then update the latest API key for all the cron job(s) on the remote Linux machine using the crontab -e command.
• Linux cron is supported only in SSH and TELNET mode of monitoring.

Prerequisites for monitoring NTP Stats:

• Ensure whether chrony / ntpstat are installed in the target servers. If not installed, then NTP stats monitoring will not be performed.
• Make sure to restart Applications Manager after installing chrony / ntpstat on the target server.

AIX

• Edit the sudo configuration file using the following command:

  sudo visudo

• Add the following line to the end of the file:

  <USERNAME>ALL= NOPASSWD: /usr/bin/startsrc, /usr/bin/stopsrc

Note: The above steps are unnecessary if the setup has been installed with ROOT user privilege. Ensure that the prerequisites are implemented correctly; otherwise, the setup might not start or stop properly.

IBM i

• To connect to IBM i server from Applications Manager, ensure that the ports mentioned under "Port Non-SSL" column in the link are not blocked in firewall. Also check out: https://www.ibm.com/support/pages/ports-must-be-open-make-odbc-data-transfer-ole-db-adonet-or-jdbc-connection-through-firewall
• It is recommended to use an account having a *QSECOFR permission on the server. If using the *QSECOFR user profile is not possible, then use an account of user class *USER with additional permissions as follows:
  • The user should be permitted to access QMPGDATA/QPFRDATA(used to collect disk details) and QGPL(used to collect problem details) libraries and permitted to execute the command CRTPFRDTA and DSPPRB.
  • Consider the following special authorities when you use an account of user class *USER such as *ALLOBJ, *SAVSYS , *JOBCTL, *SPLCTL to retrieve all data and perform IBM i admin actions from Applications Manager.

Windows Cluster

To monitor a Windows Cluster, use the Cluster Domain Administrator username and password, for which the user account should have the permission to execute WMI queries on root\mscluster namespace in cluster server nodes.

Firewall access for monitoring:

Following are the ports required for monitoring via WMI:

• Windows Management Instrumentation (WMI) (Default : TCP 445)
• Target server uses random port above 1024 by default to respond back for remote communication (DCOM) (Default : TCP 1025 to 1030)

Services

JMX Applications

To monitor a JMX Applications, the following java runtime options are to be added to your application

• Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=1099
• Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.local.only=false -Dcom.sun.management.jmxremote.authenticate=false

Replace 1099 with the actual port number of the agent

Example:

• To enable JMX Applications in JBoss:
  • Edit the run.sh/bat under JBoss home/bin.
    Append the following command to JAVA_OPTS,
    JAVA_OPTS =-Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=1099 -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.authenticate=false %JAVA_OPTS%

• To enable JMX Applications in Tomcat:
  • JAVA_OPTS =-Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=1099 -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.authenticate=false %JAVA_OPTS%
• To enable SSL for JMX applications
  • -Dcom.sun.management.jmxremote.ssl=true
• To enable authentication, use of authentication is recommended. If you do not want to use authentication, you should change the value to false.
  • -Dcom.sun.management.jmxremote.authenticate=true
• If you are using authentication, specify the location of the password file
  • -Dcom.sun.management.jmxremote.password.file=c:\jmxremote.password
• If you are using authentication, specify the location of the access file
  • -Dcom.sun.management.jmxremote.access.file=c:\jmxremote.access

Refer Oracle documentation in this regard: http://docs.oracle.com/javase/1.5.0/docs/guide/management/agent.html#remote

Note: Refer to know more about monitoring a JMX Application if your application is behind a firewall. Also please note that the ping/telnet/nslookup should be working for the remote JMX:
telnet hostname port
ping hostname
ping IPAddress
nslookup hostname
nslookup IPAddress

Ceph Storage Monitor

Ceph status command is used to collect performance stats of Ceph Storage Monitor. The user given, should have read privileage to ceph.keyring file. Ensure the ceph.keyring file has appropriate permissions set (e.g., chmod 644) on your client machine.

Hadoop Monitor

1. To monitor Hadoop via REST API:

• No Authentication:
  • URL http://<host>:<port>/jmx should be able to accessed from the Applications Manager machine for both Namenode and Jobtracker/ResourceManager
• Simple Authentication:
  • URL http://<host>:<port>/jmx?user.name=<Hadoop host username> should be able to access from the Applications Manager machine for both Namenode and Jobtracker/ResourceManager

2. To monitor Hadoop via JMX:

• Add the following java runtime options to 'HADOOP_NAMENODE_OPTS'; 'HADOOP_JOBTRACKER_OPTS' in Hadoop-env.sh with unique port.
  • -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.port=8004

Apache Zookeeper

Prerequisites for monitoring Apache Zookeeper:

• Remote JMX should be enabled.
• To enable Remote JMX for Zookeeper in Linux Environments, please open the ZKServer file under bin folder and check whether the following requirements are satisfied:
  1. JMXPORT =<PORT NO>
  2. ZOOMAIN="-Djava.rmi.server.hostname=<IP address > -Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=$JMXPORT -Dcom.sun.management.jmxremote.authenticate=$JMXAUTH -Dcom.sun.management.jmxremote.ssl=$JMXSSL -Dzookeeper.jmx.log4j.disable=$JMXLOG4J org.apache.zookeeper.server.quorum.QuorumPeerMain"

• For Windows Environments, the below given changes should be implemented in zkServer.bat file under bin folder:
  1. set JMXPORT=<PORT NO>
  2. set ZOOMAIN="-Dcom.sun.management.jmxremote" "-Dcom.sun.management.jmxremote.port=%JMXPORT%" "-Dcom.sun.management.jmxremote.ssl=false" "-Dcom.sun.management.jmxremote.authenticate=false" "org.apache.zookeeper.server.quorum.QuorumPeerMain"

Note: Please refer this link for troubleshooting the JMX Connectivity issues related to Apache Zookeeper Server or any other monitor that comes under the JMX Mode of monitoring.

Java/Transactions

Java Runtime Monitor

To monitor a JDK1.5 JVM and above, add the following JVM arguments to your application:

-Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=1099 -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.authenticate=false -Djava.rmi.server.hostname=<IP Address>

To monitor IBM JDK1.5 JVM and above, add the following JVM arguments to your application:

-Djavax.management.builder.initial= -Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=1099 -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.authenticate=false -Djava.rmi.server.hostname=<IP Address>

Note: Port number '1099' can be replaced with the actual port number of the JMX agent.

• To enable Java Runtime Monitor in JBoss:
  • Edit the run.sh/bat under JBoss home/bin. Append the following command to JAVA_OPTS
    JAVA_OPTS =-Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=1099 -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.authenticate=false %JAVA_OPTS%-Djava.rmi.server.hostname=<IP Address>
• To enable Java Runtime Monitor in JBoss 7 and above:
  • Copy the jboss-client.jar from <JBoss Home>/bin/client/ and place it under <Applications Manager Home>/working/classes/jboss/as7 directory.
• To enable Java Runtime Monitor in Tomcat do the following:
  • Edit the catalina.sh/bat under Tomcat home/bin. Append the following command to JAVA_OPTS
    JAVA_OPTS =-Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=1099 -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.authenticate=false %JAVA_OPTS%-Djava.rmi.server.hostname=<IP Address>
• To enable SSL over JMX, use the following JMX parameters in addition to the above, and restart the server.
  • JMX Parameters:
    -Dcom.sun.management.jmxremote.ssl=true
    -Djavax.net.ssl.keyStore="E:/APMBuilds/certificates/jmx.keystore"
    -Djavax.net.ssl.keyStorePassword=password
    -Djavax.net.ssl.trustStore="E:/APMBuilds/certificates/jmx.truststore"
    -Djavax.net.ssl.trustStorePassword=password
  • Additionally, import the server certificate to "<Applications Manager Home>\working\jre\lib\security\cacerts" file and restart the server.

    Syntax:
    keytool -import -alias <certificat_aliasname> -file <target Application server Certificate> -keystore "<Applications Manager Home>\working\jre\lib\security\cacerts" -storepass changeit -noprompt

    Example:
    keytool -import -alias jmxcert -file "E:\APMBuilds\certificates\ssloverjmx.cer" -keystore "C:\Program Files (x86)\AppManager14\working\jre\lib\security\cacerts" -storepass changeit -noprompt

In the Tomcat Environment:

Make sure the catalina-jmx-remote.jar file is present in the $TOMCAT_HOME/lib location. This jar file can be downloaded for your version of Tomcat from the Apache website from the extras section (sample link: http://archive.apache.org/dist/tomcat/tomcat-7/v7.0.55/bin/extras/catalina-jmx-remote.jar).

Enable JMX in WebLogic

• Open the startWebLogic.bat file in a text editor.
• Find the JAVA_OPTS line and add the following:
  -Dcom.sun.management.jmxremote
  -Dcom.sun.management.jmxremote.port=8888
  -Dcom.sun.management.jmxremote.authenticate=false
  -Dcom.sun.management.jmxremote.ssl=false
  -Djava.rmi.server.hostname=<IP Address>
• Restart WebLogic.

Active Directory

• Prerequisites for monitoring Active Directory metrics
• Using CredSSP Authentication for Active Directory monitoring

Prerequisites for monitoring Active Directory metrics

To monitor an Active Directory Service, the user must have "Administrator" privileges. To add an Active Directory Service, follow the below given steps:

1. Install the latest .NET Framework on your Applications Manager machine.
2. Install/enable .NET Framework 3.5 on Applications Manager installed machine: (This needs to be done even if you have installed the latest version. To know more click here.)
   • To know how to enable .NET 3.5 in Windows Server 2008, click here.
   • To know how you can enable .NET 3.5 in other Windows Servers, click here.

   Note: The .NET Framework 3.5 prerequisite applies only to Applications Manager versions up to 173100.

3. Grant access to the following list of ports on the firewall for Active Directory monitoring:
   • Windows Management Instrumentation (WMI) (Default : TCP 445)
   • Remote Procedure Call (RPC) (Default :TCP 135)
   • Target server uses random port above 1024 by default to respond back for remote communication (DCOM) (Default : TCP 1025 to 1030)
   • PowerShell Remoting (Default: TCP 5985 and 5986)
4. To monitor using Powershell, check whether both machines have PowerShell v5.1 installed. Make sure the proper steps are followed to enable Powershell remoting.

Note: It is also possible for a non-admin user to monitor Active Directory, except that some of the data may not be available for monitoring. If you want to monitor as a non-admin user, follow the steps mentioned in this link.

Using CredSSP Authentication for Active Directory monitoring

Istio

• Istio metrics are collected via kubectl, istioctl, curl, grep commands, so all the CLI tools mentioned should be installed on that machine where Istio is installed.
• Mesh traffic metrics collected by prometheus as running with ClusterIP, so prometheus should be deployed with Istio.

Network Policy Server (Radius Server)

To monitor Network Policy Server (Radius Server), the user must have "Administrator" privileges. To add an Network Policy Server (Radius Server), follow the below given steps:

1. Install the latest .NET Framework on your Applications Manager machine.
2. Install/enable .NET Framework 3.5 on Applications Manager installed machine: (This needs to be done even if you have installed the latest version. To know more, click here.)
   • To know how to enable .NET 3.5 in Windows Server 2008, click here.
   • To know how you can enable .NET 3.5 in other Windows Servers, click here.

   Note: The .NET Framework 3.5 prerequisite applies only to Applications Manager versions up to 173100.

3. Firewall access for monitoring:Following are the list of ports required for monitoring:
   • Windows Management Instrumentation (WMI) (Default : TCP 445)
   • Remote Procedure Call (RPC) (Default :TCP 135)
   • Target server uses random port above 1024 by default to respond back for remote communication (DCOM) (Default : TCP 1025 to 1030)

Note: If you want to monitor as a non-admin user, follow the steps mentioned in this link.

LDAP Server

Following are the list of LDAP-specific fields that need to be entered while adding the LDAP monitor:

1. LDAP Server and LDAP Server Port: Provide the host and port of the server where the service is running.
2. UserName and Password: UserName will the DN of the LDAP server. A Distinguished Name (DN) uniquely identifies an entry and describes its position in the Directory Information Tree (DIT). DN and password can be collected form the LDAP administrator.
   Example DN:cn=Manager,dc=example,dc=com

   Note: Username and password are needed only if the authentication is enabled.

3. Search Base: Search Base denotes the location in the directory where the search for a particular directory object begins. Entries greater than this level in the tree will be searched. Search base can be obtained by logging into Active directory or from the LDAP administrator.
   Example: ou=group,dc=example,dc=com
4. Search Filter: Search Filter is a basic LDAP Query for searching users based on mapping of username to a particular LDAP attribute. We need to use a search filter which uses the attributes specific to your LDAP environment. You can confirm this from your LDAP administrator.
   Example: cn=James
5. Matching Attribute: It is used to set the attribute that is to be fetched from the search operation. The attribute value fetched will be used to compare the result of the search operation with the search result provided based on the filter condition provided.
   Allowed options: CN, UID, SN, DisplayName, Givenname, ObjectClass, DC, OU, DirXML-State
   Learn more about the definition of the attributes
6. Filter Condition: The condition used to compare the matching attribute value and the search result provided.
   Allowed conditions: Equals, Contains, NotEquals
7. Search Result: It will be the expected result of the matching attribute value of search operation. Based on the filter condition provided, it will be compared with the matching attribute value got from search operation.

Apache Spark

The Apache Spark host and port should be accessible from the machine where Applications Manager server is running. Make sure that the required credentials are provided while adding the monitor.

Mail Servers

Exchange Server

Monitoring of Exchange Server is possible only if Applications Manager is running in a Windows System. Exchange Monitoring supports two Modes of Monitoring.

• Using WMI - If WMI is enabled in the remote machine in which Exchange Server is running.
• Using Windows PowerShell technology - To use Powershell for data collection, make sure the proper steps have been followed to enable and use remote commands in Windows PowerShell both in the Applications Manager server and the remote server.

Ports required for monitoring:

• Windows Management Instrumentation (WMI) (default : 445)
• Remote Procedure Call (RPC) (default : 135)
• PowerShell remoting - TCP 5985 and 5986
• Exchange PowerShell session - TCP 80 and 443

Note: It is also possible for a non-admin user to monitor Exchange Server, except that some of the data may not be available for monitoring. If you want to monitor as a non-admin user, follow the steps mentioned in this link.

Creating User Accounts, adding users and assigning roles

User Account Used for Monitoring:

The User Account used to add the monitor should be a member of View-Only Organization Management group. Make sure that the group has the following Roles assigned - Mailbox Search & Monitoring.

For Exchange View-Only Administrators:

This role allows read access only to Exchange organization container and containers with Exchange recipients in AD. They can verify settings, but can not change or add any settings. Only Powershell "Get-<cmdlet>" can be executed.

Adding Users and Assigning Roles

Adding Users to the View-Only Organization Management group and assigning roles in:

• Exchange 2010/2013/2016
  • Open Exchange Mangement Console in the Exchange Server.
  • To check if the user is already under View-Only Organization Management role group: Get-RoleGroupMember "View-Only Organization Management" | where-object {$_.Name -eq "<Username>"}
  • If the user is not under the specified role group,execute the below cmdlet to add the user: Add-RoleGroupMember "View-Only Organization Management" -Member <Username>
  • Next Add the two roles for View-Only Organization Management role group
  • New-ManagementRoleAssignment -SecurityGroup "View-Only Organization Management" -Role "Monitoring"
  • New-ManagementRoleAssignment -SecurityGroup "View-Only Organization Management" -Role "Mailbox Search"
• Exchange 2007:
  • Open Exchange Management Shell.
  • Execute the following cmdlet: Add-ExchangeAdministrator –Identity <Username> –Role ViewOnlyAdmin

Enabling CredSSP authentication

Configuring ConnectionURI for Powershell Remoting

The ConnectionURI is used to establish a connection to a remote computer using the URI address of the related HTTP or HTTPS endpoint.These connections are made over TCP port 80 for HTTP and TCP port 443 for HTTPS. By default,the connection URI is of the form http://<Hostname/IPaddress>/powershell and uses Kerberos authentication.

• With Kerberos Authentication: When the machine running Exchange Server is joined to the same domain as the machine running Applications Manager, either HTTP or HTTPS can be used with Kerberos Authentication.
• If Kerberos Authentication is not supported , or the machine is in another domain, the other option is to configure Basic Authentication for powershell virtual directory. To configure basic authentication in Exchange 2013, 2010 or 2007 using IIS Manager:
  • Open IIS Manager.
  • In the Connections pane, expand Default Web Site, and then click PowerShell.
  • Click Authentication in the results pane and enable Basic Authentication.

Note: If you decide to use Basic Authentication, HTTPS should be used as mode of connection for connectionURI. If the connectionURI should be customized it can be done so by clicking the "Customize ConnectionURI" option in new monitor page. To provide a different port for the connectionUri provide it in the following format: <https://<hostname>/Powershell:<portnumber> (or) <http://<hostname>/Powershell:<portnumber>
For Example: http://win-exchange13/Powershell:4444

Middleware/Portal

IBM WebSphere MQ

To monitor IBM Websphere MQ Series, the following jar files must be added to the respective locations:

For IBM Websphere MQ Series version	Jar files to be added	Location in Websphere MQ	Location in Applications Manager
Version 8 and above	com.ibm.mq.jar com.ibm.mq.pcf.jar com.ibm.mq.jmqi.jar com.ibm.mq.headers.jar and com.ibm.mq.commonservices.jar (OR) com.ibm.mq.allclient.jar and com.ibm.mq.pcf.jar	All the jar files can be found under <Websphere MQ Home Directory>\Java\lib directory.	Copy the jar files to <ProductHome>\working\jre\lib\ext directory.
Version 7	connector.jar com.ibm.mq.jar com.ibm.mq.pcf.jar com.ibm.mq.jmqi.jar com.ibm.mq.headers.jar com.ibm.mq.commonservices.jar	All the jar files can be found under <Websphere MQ Home Directory>\Java\lib directory.	Copy the jar files to <ProductHome>\working\jre\lib\ext directory.
Version 5.x/6.x	com.ibm.mq.jar com.ibm.mq.pcf-6.x.jar connector.jar	The jar files can be found under <Websphere MQ Home Directory>\Java\lib directory.	Copy the jar files to <ProductHome>\working\jre\lib\ext directory.

Note: The username & password length should be less than or equal to 12.

To monitor Queue statistics, make sure MONQ value is set to MEDIUM or HIGH for all queues. You can check the current MONQ status using
DISPLAY QSTATUS(Q1)
To modify,
ALTER QL(Q1) MONQ(MEDIUM)

where Q1 is the queue.

To monitor Channel statistics, make sure MONCHL value is set to MEDIUM or HIGH for all channels. You can check the current MONCHL status using
DISPLAY CHANNEL(QM1.TO.QM2)
To modify,
ALTER CHL(QM1.TO.QM2) CHLTYPE(SDR) MONCHL(MEDIUM)

where QM1.TO.QM2 is the channel name and SDR is its type.

IBM WebSphere Message Broker

To discover Message Broker, the following jars are required:

• ConfigManagerProxy.jar located at <Broker Home Directory> \classes directory.
• ibmjsseprovider2.jar located at <Broker Home Directory>\jre\lib directory.

Copy the two jar files to <AppManager Installation>\working\jre\lib\ext directory.

Note: Copy these jar files to <JavaHome>\jre\lib\ext directory if external JDK is configured for AppManager. Restart Applications Manager and try adding the monitor.

For IBM Integration Bus(MessageBroker 10.x):

• The following jars are required to monitor IIB:
  IntegrationAPI.jar
  jetty-io.jar
  jetty-util.jar
  websocket-api.jar
  websocket-client.jar
  websocket-common.jar
• IntegrationAPI.jar located at <Broker Home Directory>\common\classes directory.
• jetty-io.jar, jetty-util.jar, websocket-api.jar, websocket-client.jar, websocket-common.jar located at <Broker Home Directory>\common\jetty\lib directory.
• Copy the jar files to <ProductHome>\working\jre\lib\ext directory.

Note: Copy these jar files to <JavaHome>\jre\lib\ext directory if external JDK is configured for AppManager. Restart Applications Manager and try adding the monitor.

WebLogic Integration Server

Note: WebLogic Integration Server needs some additional configuration and conditions to be followed for monitoring.

• For monitoring WebLogic Integration Server 8.x, you should set the weblogic.disableMBeanAuthorization andweblogic.management.anonymousAdminLookup system variable to true for enabling data collection.
• Follow the steps given below:
  • Edit startWLS.cmd\sh present in the <WLS_HOME>/server/bin directory and add the following argument -Dweblogic.disableMBeanAuthorization=true and -Dweblogic.management.anonymousAdminLookupEnabled=true (click on the link to view the sample startWLS.cmd\sh file)
  • Restart the WebLogic Integration Server for the changes to take effect.
  • Copy weblogic.jar from folder /weblogic81/server/lib in Remote WebLogic server version 8 and place it under <AppManager Home >\working\classes\weblogic\version8 folder in the machine where Applications Manager is running.

MS Office SharePoint Server

To monitor MS Office SharePoint Server, the user must have Administrator privileges. Browse through the following topics to monitor SharePoint server based on server types:

• SharePoint Standalone server
• SharePoint Farm server

SharePoint Standalone Server

To monitor SharePoint Standalone Server, WMI access to remote server is required. Follow the below given steps to monitor SharePoint Standalone server through WMI:

1. Install the latest .NET Framework on your Applications Manager machine.
2. Install/enable .NET Framework 3.5 on Applications Manager installed machine: (This needs to be done even if you have installed the latest version. To know more click here.)
   • To know how to enable .NET 3.5 in Windows Server 2008, click here.
   • To know how you can enable .NET 3.5  in other Windows Servers, click here.

   Note: The .NET Framework 3.5 prerequisite applies only to Applications Manager versions up to 173100.

3. Grant access to the following list of ports on the firewall for SharePoint server monitoring:
   • Windows Management Instrumentation (WMI) (Default : TCP 445)
   • Remote Procedure Call (RPC) (Default :TCP 135)
   • Target server uses random port above 1024 by default to respond back for remote communication (DCOM) (Default : TCP 1025 to 1030)

To use Powershell for data collection, make sure proper steps have been followed to enable Powershell remoting.

Note: It is also possible for a non-admin user to monitor SharePoint server, except that some of the data may not be available for monitoring. If you want to monitor as a non-admin user, follow the steps mentioned in this link.

SharePoint Farm Server

To monitor SharePoint Farm Server, make sure proper steps have been followed to enable Powershell remoting on both remote server as well as Applications Manager-installed server. Once this is done, perform the following steps on the SharePoint server(s):

1. In the Server Manager, add the user account used for adding the Sharepoint to the following Groups:
   • Remote Desktop Users
   • WinRMRemoteWMIUsers__
   • WSS_ADMIN_WPG
2. Open the Sharepoint Management shell as an administrator and execute the below commands one-by-one:
   • Enable-PSRemoting -Force
   • Enable-WSManCredSSP –Role Server
   • winrm set winrm/config/winrs '@{MaxShellsPerUser="25"}'  [This is Optional]
   • winrm set winrm/config/winrs '@{MaxMemoryPerShellMB="600"}'  [This is Optional]
   • Get-SPShellAdmin  [This command will return all the users who have the SharePoint_Shell_Access role]
   • Get-SPDatabase | Add-SPShellAdmin DOMAIN\UserName  [Replace Domain\Username with the user used to add the SharePoint Server]
   • Get-SPShellAdmin  [The added user should be listed]
   • Set-PSSessionConfiguration -Name Microsoft.PowerShell32 –ShowSecurityDescriptorUI  [This command will open up a dialog box. Add the user(s) with Read and Execute permissions then click OK]
   • Execute the above command again to ensure the permissions were applied correctly.

Enabling CredSSP Authentication for SharePoint Farm server monitoring

To monitor the SharePoint Farm server, CredSSP authentication should be used. To do so, enable the Use CredSSP Authentication and refer the prerequisites for using CredSSP authentication. Then, perform the following steps on the Applications Manager Server:

1. Open Windows PowerShell as Administrator.
2. Execute the below commands one-by-one in the Administrator PowerShell:
   • $cred=get-Credential
   • $s=new-PSsession “SharePointServerName” -authentication credssp -credential $cred  [Replace SharePointServerName with the FQDN of the SharePoint server]
   • Invoke-Command -Session $s -ScriptBlock {Add-PSSnapin Microsoft.SharePoint.PowerShell;}
   • Invoke-Command -Session $s -ScriptBlock {get-SPContentDatabase}  [This will return all the content databases in your SharePoint farm and ensure you have access]
   • Invoke-Command -Session $s -ScriptBlock {get-spserviceinstance}  [This will return the SharePoint service instances and ensure you have access]
   • Enter-PSSession -session $s  [You will now see the servers name in [ ] PS: c:\users\\documents]
   • Exit-PSSession

If there are any errors related to permissions issue while executing the above commands, resolve the same.
For any issues related to Add-SPShellAdmin, check the following link: https://technet.microsoft.com/en-us/library/ff607596.aspx

Microsoft Message Queue (MSMQ) Server

Below are the prerequisites for monitoring MSMQ server in Applications Manager:

• WMI Mode: WMI access to remote server is required.
• PowerShell Mode: PowerShell remoting should be enabled. For more information, check enable and use remote commands in Windows PowerShell.

To monitor Microsoft Message Queue (MSMQ) Server, the user must have Administrator privileges. To monitor the Microsoft Message Queue (MSMQ) Server, follow the below given steps:

1. Install the latest .NET Framework on your Applications Manager machine.
2. Install/enable .NET Framework 3.5 on Applications Manager installed machine: (This needs to be done even if you have installed the latest version. To know more click here.)
   • To know how to enable .NET 3.5 in Windows Server 2008, click here.
   • To know how you can enable .NET 3.5  in other Windows Servers, click here.

   Note: The .NET Framework 3.5 prerequisite applies only to Applications Manager versions up to 173100.

3. Grant access to the following list of ports on the firewall for Microsoft Message Queue (MSMQ) server monitoring:
   • Windows Management Instrumentation (WMI) (Default : TCP 445)
   • Remote Procedure Call (RPC) (Default :TCP 135)
   • Target server uses random port above 1024 by default to respond back for remote communication (DCOM) (Default : TCP 1025 to 1030)

To use Powershell for data collection, make sure the proper steps have been followed to enable Powershell remoting.

Note: If you want to monitor as a non-admin user, follow the steps mentioned in this link.

Microsoft BizTalk Monitoring

To monitor a Microsoft BizTalk Server, the user must have Administrator privileges. To monitor the Microsoft Message Queue (MSMQ) Server, follow the below given steps:

1. Install the latest .NET Framework on your Applications Manager machine.
2. Install/enable .NET Framework 3.5 on Applications Manager installed machine: (This needs to be done even if you have installed the latest version. To know more click here.)
   • To know how to enable .NET 3.5 in Windows Server 2008, click here.
   • To know how you can enable .NET 3.5  in other Windows Servers, click here.

   Note: The .NET Framework 3.5 prerequisite applies only to Applications Manager versions up to 173100.

3. Firewall access for monitoring:Following are the list of ports required for monitoring:
   • Windows Management Instrumentation (WMI) (Default : TCP 445)
   • Remote Procedure Call (RPC) (Default :TCP 135)
   • Target server uses random port above 1024 by default to respond back for remote communication (DCOM) (Default : TCP 1025 to 1030)

Note: It is also possible for a non-admin user to monitor Microsoft Biztalk server, except that some of the data may not be available for monitoring. If you want to monitor as a non-admin user, follow the steps mentioned in this link.

To use Powershell for data collection, make sure the proper steps have been followed to enable Powershell remoting.

Enabling Credential Delegation for Biztalk server

If the Biztalk Management Database is on a different server from that where Applications Manager is running, the credentials of the Biztalk Server should be delegated for data collection to happen (Delegation is disabled by default). Refer to know more about Enabling CredSSP Authentication.

Microsoft Skype for Business Server

To monitor a Microsoft Skype for Business Server, the user must have Administrator privileges. To monitor the Microsoft Skype for Business Server, follow the below given steps:

1. Install the latest .NET Framework on your Applications Manager machine.
2. Install/enable .NET Framework 3.5 on Applications Manager installed machine: (This needs to be done even if you have installed the latest version. To know more click here.)
   • To know how to enable .NET 3.5 in Windows Server 2008, click here.
   • To know how you can enable .NET 3.5  in other Windows Servers, click here.

   Note: The .NET Framework 3.5 prerequisite applies only to Applications Manager versions up to 173100.

3. Firewall access for monitoring:Following are the list of ports required for monitoring:
   • Windows Management Instrumentation (WMI) (Default : TCP 445)
   • Remote Procedure Call (RPC) (Default :TCP 135)
   • Target server uses random port above 1024 by default to respond back for remote communication (DCOM) (Default : TCP 1025 to 1030)

Note: If you want to monitor as a non-admin user, follow the steps mentioned in this link.

Azure Service Bus

To add an Azure Service Bus Namespace in Applications Manager, a .pfx file (which contains the cryptographic information of private keys) of the certificate uploaded in Azure Management certificates is required.
In the console, execute the script <APM_HOME>/bin/exportCertificateToAppManager.sh/bat file to export the managed certificate of your account to Applications Manager.

To know more about creating certificates and uploading in Windows Azure portal, click here.

Example: <APM_HOME>/bin/exportCertificateToAppManager.bat [testCertificate.pfx] [password]

Apache ActiveMQ

Using JMX to monitor Apache ActiveMQ

Apache ActiveMQ has extensive support for JMX to allow you to monitor and control the behavior of the broker via the JMX MBeans.

You can enable/disable Remote JMX support as follows:

For Windows

• In Service Mode: Add the following entries in wrapper.conf file.
  <ActiveMQHome>/bin/win64/wrapper.conf (if 64-bit)
  <ActiveMQHome>/bin/win32/wrapper.conf (if 32-bit)

  wrapper.java.additional.13=-Dcom.sun.management.jmxremote
  wrapper.java.additional.14=-Dcom.sun.management.jmxremote.port=1099
  wrapper.java.additional.15=-Dcom.sun.management.jmxremote.authenticate=false
  wrapper.java.additional.16=-Dcom.sun.management.jmxremote.ssl=false
  wrapper.java.additional.17=-Djava.rmi.server.hostname=<HOSTNAME>

• In Non-Service Mode: Add the following lines in apachemq.bat file (located under <ActiveMQHome>/bin/ directory) before ACTIVEMQ_CLASSPATHis set.

  set ACTIVEMQ_SUNJMX_START=-Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=1099 -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.authenticate=false -Djava.rmi.server.hostname=<HOSTNAME>

Replace <HOSTNAME> with hostname/IP of ActiveMQ-installed machine.

For Linux

Add the following lines in apachemq.sh file (located under <ActiveMQHome>/bin/ directory) under invoke_start() function:

ACTIVEMQ_SUNJMX_START="-Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=1099 -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.authenticate=false -Djava.rmi.server.hostname=<HOSTNAME>"

Replace <HOSTNAME> with hostname/IP of ActiveMQ-installed machine.

Apache Kafka

Using JMX to monitor Apache Kafka

To enable JMX monitoring, set the JMX_PORT environment variable in the kafka-run-class.sh/kafka-run-class.bat file or use the standard Java system properties. Alternatively, you can set the KAFKA_JMX_OPTS environment variable in the kafka-run-class.sh/kafka-run-class.bat file to enable JMX monitoring in Applications Manager. The default JMX port is 9999.

For more information on configuring JMX, click here.

RabbitMQ

To monitor RabbitMQ in Applications Manager, the Management plugin has to be enabled in the RabbitMQ server. Kindly execute the following command under <RABBITMQ_HOME>/sbin to enable the Management plugin in the target RabbitMQ server:

rabbitmq-plugins enable rabbitmq_management

After enabling the Management plugin, check if the following URL is accessible from Applications Manager installed machine:

http://<Hostname>:<port>

where,

• Hostname: Hostname of the host in which the RabbitMQ server is present.
• Port: The port number of the Management plugin in the RabbitMQ server (Default value: 15672)

For more information on the Management plugin, kindly refer to this link.

Virtualization

VMware Horizon View Connection Broker

Supported Versions: VMware Horizon v7.x and above

Prerequisites for adding the Connection Broker monitor in the Applications Manager host:

• For VMware Horizon versions 7.x to 7.12, VMware Horizon View Connection Broker monitor uses Windows PowerShell for monitoring. Follow these steps to enable Windows PowerShell Remoting in the Applications Manager server and the remotely monitored Horizon View server:
  • Enable and Use Remote Commands in Windows PowerShell
  • Horizon View's Domain Server and its components should be accessible (able to ping) from the Applications Manager server.
• For VMware Horizon versions 7.13 and above, VMware PowerCLI is required for monitoring. Learn how to setup VMware PowerCLI

Docker

Since Docker and Docker Container metrics are collected via their REST APIs, it is necessary to enable Docker's REST API to add a Docker Monitor. To enable Docker's remote API on Docker host, follow the steps mentioned in this link.

VMware ESXi / vCenter

Supported Versions: ESX 3.5 and above; ESXi 3 and above

Following are the prerequisites for monitoring VMware ESXi servers / vCenter Virtual Infrastructure:

• The host server should be reachable from Applications Manager-installed machine.
• The user should have the Administrator privileges.

Citrix Hypervisor

• The host server URL should be reachable from Applications Manager-installed machine.
• The user should have the Administrator privileges.

KVM

• The host server should be reachable via SSH/Telnet from Applications Manager-installed machine.
• To perform VM start/stop operations from Applications Manager, root privileges are required.

Microsoft Hyper-V Server

Applications Manager makes use of WMI mode to monitor Hyper-V servers. Following are the prerequisites for monitoring Hyper-V servers:

• The host server should be reachable from Applications Manager-installed machine.
• The WMI should be enabled and all its services should be in running state.
• The user should have the Administrator privileges for VM monitoring.
• The user should have privileges for the namespace WMI root\virtualization\v2.

Oracle VM Manager Servers

• The host server URL should be reachable from Applications Manager-installed machine.
• The user should have the Administrator privileges.

Red Hat Virtualization (RHV)

• The host server URL should be reachable from Applications Manager-installed machine with FQDN.
• The user should have the Administrator privileges.

Web Server / Services

IIS Server

To add an IIS monitor

• URL for IIS server (http(s)://[Host/IP]:[PORT]) should be accessible from Applications Manager-installed server as we check for the Server header in the response.
• Monitoring IIS Website and Application Pool statistics:
  • For Applications Manager versions till 15110, we use the relevant server monitor credential to fetch data from the remote server. So adding Server monitor is mandatory to fetch IIS Website and Application Pool statistics.
  • From Applications Manager versions 15120 onwards, IIS server credential should be provided while adding/editing the IIS monitor itself. This is mandatory to monitor Website and Application Pool statistics.
• Mode of Monitoring: Users can choose between two different modes of monitoring - WMI and WinRM:
  • WMI: WMI access to remote server is required. Following are the list of ports that are required for monitoring through WMI:
    • Windows Management Instrumentation (WMI) (Default : TCP 445)
    • Remote Procedure Call (RPC) (Default : TCP 135)
    • For remote communication (DCOM), target server uses random port above 1024 by default to respond. (Default : TCP 1025 to 1030)
  • WinRM: Refer to this page to understand the prerequisites to WinRM mode of monitoring.

    Note: WinRM mode is only supported in Applications Manager versions 16820 and above.

To collect IIS Website Statistics

User must have the permission to execute WMI queries on 'root\CIMV2' namespace of the IIS Server.

To collect IIS Application Pools Statistics

For Applications Manager versions till 15110, user must have the permission to access 'root\MicrosoftIISv2' and 'root\WebAdministration' WMI namespaces.
From Applications Manager versions 15120 onwards, user must have permission to access 'root\WebAdministration' WMI namespace alone.

• For 'root\WebAdministration' namespace: Install the IIS WMI provider by selecting the IIS Management Scripts and Tools component under Management Tools (or Web Management Tools).
• For 'root\MicrosoftIISv2' namespace: To enable IIS v6 Management Compatibility tools, follow steps 3 & 4 as mentioned in this link.

Note: User account with Administrator permissions is mandatory for monitoring Application Pool Statistics.

Troubleshooting: In case you encounter with issues in IIS server monitoring, refer here.

PHP

Place the phpstats.php file in the webserver's document root. The phpstats.php can be found in <Applications Manager Home>/working/resourcesdirectory.

Apache

Enabling the Server status and the Extended-status will give additional information for the Apache server.

To enable the Server Status, follow the steps given below:

• In Apache's httpd.conf file, locate Location /server-status tag.
• Remove the comment in the Location/Server-status tag to enable SetHandler server-status.
• Change the attribute Deny from all to Allow from all.
• Remove the comment in LoadModule status_module modules/mod_status.so.
• Save the conf file and restart the Apache Server.

To enable the Extended-status, follow the steps given below:

• Locate ExtendedStatus attribute in httpd.conf file.
• Remove the comment to enable the status.
• Save the conf file and restart the Apache Server.

HAProxy

• Open the 'stats' port for collecting the metrics.
• To enable metrics collection, add the following content at the bottom of the file /etc/haproxy/haproxy.cfg:
  
  listen stats :9000
  mode http

  stats enable

  stats hide-version

  stats realm Haproxy\ Statistics

  stats uri /

  stats auth Username:Password
• Restart the HAProxy instance. This will open up the stats in the port '9000' (we have specified 9000 as the port in this configuration). You can further add the same HAProxy for monitoring using the hostname and port.

Note:
* You can change the port (9000 by default) to any free port that you wish to use.
* The line number 7 is for setting up basic authentication for this stats url. A user can provide his own username and password.
* We use the following URL to collect metrics: http://[HOSTNAME]:[PORT]/;csv
(Replace [HOSTNAME] and [PORT] with the respective hostname of the HAProxy instance and port which is mentioned in the above configuration).

IBM HTTP Server

• Open <IBM_HOME>HTTPServer/conf/httpd.conf and uncomment the following line to enable the mod_status.co module in the target IBM HTTP server:

  LoadModule status_module modules/mod_status.so

• To add/modify the access handler for the /server-status page add the following lines to the configuration file, and if already present modify it to following context:

  <Location /server-status>
  SetHandler server-status
  Require all granted
  </Location>

  Note: Making the above changes will open the /server-status handler with no restrictions. To restrict access to the Applications Manager, make the following changes to the configuration file:
  <Location /server-status>
  SetHandler server-status
  Required host <hostname_of_apm_installed_machine>
  Required ip <ip_of_apm_installed_machine>
  </Location>
  

• Enabling the ExtendedStatus is mandatory for monitoring metrics such as requests per second, bytes per second, bytes per request, etc. If the ExtendedStatus has not been enabled, follow the steps given below:
  1. Locate the line that starts with ExtendedStatus in the configuration file.
  2. Uncomment the line and set the status to 'On'.
• Restart the target IBM HTTP server after performing the above-mentioned steps and check if the URL given below is accessible from the Applications Manager installed machine,

  http://<hostname>:<port>/server-status

Oracle HTTP Server

• Open <ORACLE_HOME>/user_projects/domains/<domain_name>/config/fmwconfig/components/OHS/<server_component_name>/httpd.conf and uncomment the following line to enable the mod_status.co module in the target Oracle HTTP server:

  LoadModule status_module "${PRODUCT_HOME}/modules/mod_status.so"

• To add/modify the access handler for the /server-status page add the following lines to the configuration file, and if already present modify it according to the following context:

  <Location /server-status>
  SetHandler server-status
  Require all granted
  </Location>

  Note: Making the above changes will open the /server-status handler with no restrictions. To restrict access to the Applications Manager, make the following changes to the configuration file:
  <Location /server-status>
  SetHandler server-status
  Required host <hostname_of_apm_installed_machine>
  Required ip <ip_of_apm_installed_machine>
  </Location>
  

• Enabling the ExtendedStatus is mandatory for monitoring metrics such as Requests per second, Bytes per second, Bytes per request, etc. If the ExtendedStatus has not been enabled, follow the steps given below:
  1. Locate the line that starts with ExtendedStatus in the configuration file.
  2. Uncomment the line and set the status to "On".
• Restart the target Oracle HTTP server after performing the above-mentioned steps and check if the URL given below is accessible from the Applications Manager installed machine.

  http://<hostname>:<port>/server-status

Nginx

To Enable the Nginx Server Status, follow the steps given below:

• Configure the location /server_status method in nginx.conf file located under <NGINX_HOME>/conf/ directory to enable server_status.
• The value of stub_status attribute should be "on".
• Change the attribute "deny all" to "Allow all".
• Save the conf file and restart the Nginx Server.

Nginx Plus

Make sure that the location is defined with the ngx_http_api_module configured for your Nginx Plus server. Learn how to configure the API

Real Browser Monitoring (RBM)

RBM requires network connectivity between the End User Monitoring (EUM) agent and the Applications Manager server. This network connectivity can be ensured with the help of the VPN or NAT or by assigning an direct IP Address to the Applications Manager server. In the case where an agent is deployed within the local network and another one in a remote site, a dual NIC or any one of the above means would be required to ensure this connectivity.

For any further support please contact appmanager-support@manageengine.com. You can visit Troubleshooting details.

Webpage Analyzer

Following the steps to be done for setting up Webpage Analyzer monitor :

• Download the add-on for Webpage Analyzer.
• After downloading, extract the zip file contents into <Applications Manager Home>/working directory.

System Requirements with add-on

On-premise Setup

Number of Webpage Analyzer Monitors	OS	Processor	Memory	Hard Disk
1 to 10	Windows / Linux	4 Core / 2.4 GHz and above	8 GB	40 GB & above
11 to 30	Windows / Linux	8 Core / 2.4 GHz and above	16 GB RAM	75 GB & above

Cloud VM Setup

Number of Webpage Analyzer Monitors	Processor	Hard Disk	AWS recommended instance type	Azure recommended instance size
1 to 10	4 Core / 2.4 GHz and above	40 GB & above	Type: m4.xlarge vCPU: 4 Memory: 16 GB Processor: 2.4 GHZ	Size: D4s_v3 vCPU: 4 Memory: 16 GB Processor: 2.4 GHZ
11 to 30	8 Core / 2.4 GHz and above	75 GB & above	Type: m4.2xlarge vCPU: 8 Memory: 32 GB Processor: 2.4 GHZ	Size: D8s_v3 vCPU: 8 Memory: 32 GB Processor: 2.4 GHZ

Following are the components that can be found in the ZIP file of the add-on, which are required for data collection in Webpage Analyzer:

• Mozilla Firefox: Used as the browser in which the webpage is loaded.
• Gecko Driver: Used as a proxy that is used to communicate with Firefox.
• PageSpeed Insights: Used to retrieve PageSpeed results.
• Extension: Used to capture various performance metric data.

Real User Monitor

To learn how to set up Real User Monitoring in Applications Manager, refer here.

Web Services

The WSDL URL and endpoint URL should be accessible from the machine where Applications Manager server is running. Make sure that the required credentials are provided for reading the WSDL and endpoint URL response while adding the monitor.

HTTP(s) URLs

The URL should be accessible from the machine where Applications Manager server is running. Make sure that the required credentials are provided for reading the URL response while adding the monitor.

Website Content Monitor

The URL should be accessible from the machine where Applications Manager server is running. Make sure that the required credentials are provided for reading the URL response while adding the monitor.

REST API Monitor

The API should be accessible from the machine where Applications Manager server is running. Make sure that the required credentials are provided for reading the API response while adding the monitor.

ManageEngine ADManager Plus

Mode of Monitoring: Remote JMX

Security/Firewall Requirements:

• To monitor ADManager Plus, allow Applications Manger installed server to access the JMX port used by the ADManager Plus server.
• To monitor PostgreSQL DB of ADManager Plus, allow Applications Manager installed server to access the port in which Postgres DB server of ADManager Plus is running.

User Privilege: To monitor PostgreSQL DB of ADManager Plus, the user provided for monitoring should have at least read-only access to statistics collector.

For PostgreSQL/MS SQL database, statistics will be collected by connecting to the database.

ManageEngine ServiceDesk Plus

Security/Firewall Requirements:

• To monitor ServiceDesk Plus, allow Applications Manger installed server to access the ports (HTTP and HTTPS) used by the ServiceDesk Plus server.
• To monitor PostgreSQL DB of ServiceDesk Plus, allow Applications Manager installed server to access the port in which PostgreSQL DB server of ServiceDesk Plus is running.

User Privilege:

• To monitor ServiceDesk Plus, the user provided should be authenticated in ServiceDesk Plus.
• To monitor PostgreSQL DB of ServiceDesk Plus, the user provided for monitoring should have at least read-only access to statistics collector.

To monitor PostgreSQL DB, implement the following changes:

ManageEngine OpManager

Mode of Monitoring: Remote JMX

Prerequisites for monitoring ManageEngine OpManager:

For Windows:

In Service Mode:

1. Add below entries in wrapper.conf file.
C:\ManageEngine\OpManager\conf\wrapper.conf

# Enable Remote JMX
wrapper.java.additional.16=-Dcom.sun.management.jmxremote 
wrapper.java.additional.17=-Dcom.sun.management.jmxremote.port=1999 
wrapper.java.additional.18=-Dcom.sun.management.jmxremote.ssl=false 
wrapper.java.additional.19=-Dcom.sun.management.jmxremote.authenticate=false 
wrapper.java.additional.20=-Dcom.sun.management.jmxremote.rmi.port=1999 
wrapper.java.additional.21=-Djava.rmi.server.hostname=<Hostname/IP address of OpManager>

2. After adding the above entries, save the file and restart OpManager.

In Non-Service Mode:

Append the following parameters to JAVA_OPTS:

set JAVA_OPTS= %JAVA_OPTS%
-Dcom.sun.management.jmxremote
-Dcom.sun.management.jmxremote.port=1999
-Dcom.sun.management.jmxremote.ssl=false
-Dcom.sun.management.jmxremote.authenticate=false
-Dcom.sun.management.jmxremote.rmi.port=1999
-Djava.rmi.server.hostname=<Hostname/IP address of OpManager>

For Linux:

Add the following entry in run.sh:

JAVA_OPTS="$JAVA_OPTS
-Dcom.sun.management.jmxremote
-Dcom.sun.management.jmxremote.port=1999
-Dcom.sun.management.jmxremote.authenticate=false
-Dcom.sun.management.jmxremote.ssl=false
-Dcom.sun.management.jmxremote.rmi.port=1999
-Djava.rmi.server.hostname=<Hostname/IP address of OpManager>"

2. To monitor PostgreSQL DB, do the following changes:

• Open postgresql.conf file under <postgres home>/data directory.
• Check the value of the configuration parameter listen_addresses. It should be "*". Click here for more details on configuring postgresql.conf file.
• Open pg_hba.conf under <postgres home>/data
• Add a new line 'host all all 0.0.0.0/0 trust' to allow all the machines with proper password authentication to acces PostgreSQL database server. Click here for more details on configuring pg_hba.conf file.
• Open C:\ManageEngine\OpManager\conf\database_params.conf file and update the hostname/ipaddress instead of localhost.

APM Insight

Ensure that your environment meets the following prerequisites and configurations for smooth installation and monitoring of the agent.

Java Agent

• Version: Ensure the environment has Java version 8 or above.

  Note: For Java versions below 8, use Java Agent v5.5, available here.

• Network and Firewall: Allow outbound communication from the agent-installed machine to the Applications Manager (host and port) directly or through a proxy server.
• Permissions: The application user must have full access permissions to the agent directory.
• Uninstall any competing agents tools (Eg: Dynatrace, AppDynamics) before installing this agent.

Note: Please note that it is necessary to restart your application server to start monitoring after the agent installation.

.NET Agent

• Version: Ensure the environment is equipped with Microsoft .NET runtime version 4.0 or later and IIS 7.0 or higher (if onboarding IIS sites).
• Network and Firewall: Allow outbound communication from the agent-installed machine to the Applications Manager (host and port) directly or through a proxy server.
• Permissions: The application user must have full access permissions to the agent directory - C:\ProgramData\DotNetAgent.
• Uninstall any competing agents tools (Eg: Dynatrace, AppDynamics) before installing this agent.
• SharePoint/Multi-Domain environment: Specific configuration changes are required due to security concerns in these environments.

Note: After installing the agent, it is essential to restart your application server for monitoring to begin. For IIS sites, execute the IISRESET command; for Windows services and desktop applications, perform a manual restart of the respective services or apps.

Converged Infrastructure

Cisco UCS

Cisco UCS Manager should be installed and running in the Cisco UCS device while adding the monitor.

Custom Monitors

Database Query Monitor

For MSSQL, to run a specific query on a particular database, the database should be provided with "db_datareader" role or "db owner role" or "connect any database" at server level permission for the SQL user account.

Windows Performance Counter

To monitor a Windows Performance Counter, use the Cluster Domain Administrator username and password, for which the user account should have the permission to execute WMI queries on root\mscluster namespace in cluster server nodes.

Firewall access for monitoring:

Following are the ports required for monitoring via WMI:

• Remote Procedure Call (RPC) (Default :TCP 135)
• Windows Management Instrumentation (WMI) (Default : TCP 445)
• Target server uses random port above 1024 by default to respond back for remote communication (DCOM) (Default : TCP 1025 to 1030)